WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Kalyan Varma <kalyan () rtns org>
Date: Tue, 21 Jun 2005 14:44:38 +0530 (IST)
On Mon, 20 Jun 2005, Amir Herzberg wrote:
Here is a simple question: should web login forms be always protected by SSL?
Depends.If you have a site with high traffic, then the SSL load will hurt your server. For every SSL request, you can handle more then 5 non-SSL requests. Are you ready for that perfomance tradeoff ?
Most of the sites are moving to challenge-response based login system. This is non-SSL and IMHO quite secure. I think having a SSL login page makes sense, but your site could default to the challenge-response based login page the way sites like Yahoo do it and give an option for a SSL based page.
However if you are a bank etc, then SSL all the way makes sense. - Kalyan
Current thread:
- Re: [summary] Re: Should login pages be protected by SSL?, (continued)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 23)
- Re: [summary] Re: Should login pages be protected by SSL? Wolfgang Reder (Jun 24)
- Re: [summary] Re: Should login pages be protected by SSL? Michael Silk (Jun 24)
- Re: Should login pages be protected by SSL? Dave Ockwell-Jenner (Jun 22)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 23)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 21)
- Re: Should login pages be protected by SSL? Peter Watkins (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 21)
- Re: Should login pages be protected by SSL? Ian Rogers (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Achim Hoffmann (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Torsten Mueller (Jun 21)