[thelist] should user account pages be SSL?

Renoir Boulanger renoirb at gmail.com
Wed Feb 20 15:39:41 CST 2013 

Hello

We are in 2013. The idea of non ssl-izing all pages was, back then, because it gives an overhead on every requests (files, pages, etc) and servers weren't strong enough.

If you want to have advice regarding SSL and security, my resource is the "Security Now!" podcast. They talk a lot about it and even give you a complete burn down on how it works. The podcast is HEAVILY instructive, one cannot listen without putting all his concentration on it.

As for credibility, he lives by selling a hard drive recovery software, not SSL certs :)

Have a look namely on the episodes explaining Firesheep, and DNS, mostly the DNS Poisoning one.

There are a lot about SSL, DNS, DNSSEC, and phishing.

As for my introduction "we are in 2013", here as it goes.
1. People knows SSL is at least giving the safety of a handshake communication between browser and server
2. Cookies are safe in that communication, cannot make cross-domain cookies
3. People trust it. Even though we all know that it is a chain of trust of Z trusts Y, trusts X, trusts at least we have a shared secret until something better comes
4. Something better arrived (see SN 376, "Fullly Homomorphic Encryption"), but it takes VERY HUGE machines, and a key of only a few Terra of size

Hope I given a few sparks of curiosity to people around here :)

RB



On 2013-02-20, at 3:26 PM, Stuart Young <drstuey at gmail.com> wrote:

> Hi all,
> 
> I'm wondering what everyone thinks - should user account pages, (e.g. a
> registration page, or change password page) be secured.
> 
> Would you refuse to login to a site where the login form wasn't secure?
> Would you refuse to sign a e-petition that asked for your contact details
> if the form wasn't secure?
> 
> Or can you get away with only credit card form submissions being encrypted
> and not other forms?
> 
> Are there any links to articles online that have any evidence or opinions
> on this matter? I've tried many different searches and all I can find is
> https://www.thesslstore.com/blog/index.php/every-website-should-use-ssl-to-secure-user-information-why-ssland
> that is written by someone that sells SSL certificates so it could be
> biased.
> 
> Thanks in advance!
> 
> Stuart
> 
> 
> -- 
> This is the gmail account of Stuart Young
> Avondale, Auckland, Aotearoa New Zealand
> -- 
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !

More information about the thelist mailing list