Security Basics mailing list archives
Re: questions on SSL
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Fri, 14 Nov 2008 18:07:04 +0100
On 2008-11-14 s0h0us () yahoo com wrote:
I'm lookig for some comments regarding using SSL to encrypt connectivity to entire website as opposed to just certain critical connections such as an online banking link at a financial institutions. is this a more common practice now? Bandwidth wouldn't seem to be as big an issue as it was in the past with dialup connections.
Bandwidth isn't so much an issue as CPU consumption. Having to encrypt/ decrypt connections will put considerably more load on the server. Moreover, encryption has no value in itself. It has a value only when it's used to protect something from a threat (e.g. guarantee the integrity of data transmitted between client and server). However, SSL is not only for encryption, but will also guarantee the authenticity of the website. If you want to ensure that, then you may still want SSL, even if you don't actually need encryption.
Can one SSL certificate be used to encrypt multiple links originating from the same site: https://x.domain.com https://y.domain.com
You can get wildcard certificates (*.example.com) which will allow this. However, there's more to consider than just securing connections by using SSL. I suggest you take a look at this whitepaper [1] released by NGSSoftware. [1] http://www.ngssoftware.com/papers/NISR-BestPracticesInHostURLNaming.pdf Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- questions on SSL s0h0us (Nov 14)
- Re: questions on SSL judd . obannon (Nov 14)
- Re: questions on SSL Andre Pawlowski (Nov 14)
- RE: questions on SSL Chris Mitchell (Nov 14)
- Re: questions on SSL Ansgar Wiechers (Nov 14)
- Re: questions on SSL Ansgar Wiechers (Nov 14)
- RE: questions on SSL David Gillett (Nov 14)