Re: questions on SSL

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2008-11-14 s0h0us () yahoo com wrote:
> I'm lookig for some comments regarding using SSL to encrypt
> connectivity to entire website as opposed to just certain critical
> connections such as an online banking link at a financial
> institutions. is this a more common practice now? Bandwidth wouldn't
> seem to be as big an issue as it was in the past with dialup
> connections.

Bandwidth isn't so much an issue as CPU consumption. Having to encrypt/
decrypt connections will put considerably more load on the server.
Moreover, encryption has no value in itself. It has a value only when
it's used to protect something from a threat (e.g. guarantee the
integrity of data transmitted between client and server).

However, SSL is not only for encryption, but will also guarantee the
authenticity of the website. If you want to ensure that, then you may
still want SSL, even if you don't actually need encryption.

> Can one SSL certificate be used to encrypt multiple links originating
> from the same site:
> https://x.domain.com
> https://y.domain.com

You can get wildcard certificates (*.example.com) which will allow this.
However, there's more to consider than just securing connections by
using SSL. I suggest you take a look at this whitepaper [1] released by
NGSSoftware.

[1] http://www.ngssoftware.com/papers/NISR-BestPracticesInHostURLNaming.pdf

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq