WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should login pages be protected by SSL?

From: Kalyan Varma <kalyan () rtns org>
Date: Tue, 21 Jun 2005 14:44:38 +0530 (IST)
On Mon, 20 Jun 2005, Amir Herzberg wrote:


Here is a simple question: should web login forms be always protected by SSL?


Depends.
If you have a site with high traffic, then the SSL load will hurt your server. For every SSL request, you can handle more then 5 non-SSL requests. Are you ready for that perfomance tradeoff ?
Most of the sites are moving to challenge-response based login system. This is non-SSL and IMHO quite secure. I think having a SSL login page makes sense, but your site could default to the challenge-response based login page the way sites like Yahoo do it and give an option for a SSL based page. 

However if you are a bank etc, then SSL all the way makes sense.

- Kalyan
Previous By Date Next
Previous By Thread Next

Current thread: