[summary] Re: Should login pages be protected by SSL?

[Steve Shah <sshah () risingedge org>]

Amir Herzberg asked the question of "should login pages be SSL
encrypted". The flurry of discussion can be summerized as "Yes"
with the following details:

1. SSL generates a lot of load. A site administrator should be
   concerned over this.

        1a. SSL load for a sufficiently large enough site (read:
            a site with budget) can be addressed with SSL accelerators.

2. Most people believe that a login page *should* be encrypted 
   for web sites carrying important data. (e.g., financial, etc.)

3. A few exceptions were raised for sites that don't carry valuable
   data (e.g., newspaper sites) since the additional load created
   by SSL does not justify the asset that is being protected.

        3a. The concern over users using the same login/password
            combination was raised. In an unsecured wireless 
            environment, not using SSL means that even if the site
            operator is trustworthy enough not use the login for
            personal gain, someone sniffing packets might. 

        3b. It was universally agreed that user education for 
            effective usage of passwords is necessary.

4. If a site does use SSL, it is important to use SSLv3 or better.
   Apache and most SSL accelerators (ergo, I suspect most other 
   web servers as well) can be configured to redirect users to a 
   special landing page if they are using an older version of SSL.
   The landing page can provide instructions on how to upgrade
   your browser. Many financial institutions do this.

5. The current reality is that most content sites that are not
   protecting a valuable asset do not use SSL to protect their
   users.

6. You can find Amir's Hall of Shame for sites that should (but don't)
   use SSL for access at http://AmirHerzberg.com/shame.html

-- 
Steve Shah
sshah () RisingEdge org