Re: questions on SSL
- From: Ansgar Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
- Date: Fri, 14 Nov 2008 18:07:04 +0100
On 2008-11-14 s0h0us@xxxxxxxxx wrote:
I'm lookig for some comments regarding using SSL to encrypt
connectivity to entire website as opposed to just certain critical
connections such as an online banking link at a financial
institutions. is this a more common practice now? Bandwidth wouldn't
seem to be as big an issue as it was in the past with dialup
connections.
Bandwidth isn't so much an issue as CPU consumption. Having to encrypt/
decrypt connections will put considerably more load on the server.
Moreover, encryption has no value in itself. It has a value only when
it's used to protect something from a threat (e.g. guarantee the
integrity of data transmitted between client and server).
However, SSL is not only for encryption, but will also guarantee the
authenticity of the website. If you want to ensure that, then you may
still want SSL, even if you don't actually need encryption.
Can one SSL certificate be used to encrypt multiple links originating
from the same site:
https://x.domain.com
https://y.domain.com
You can get wildcard certificates (*.example.com) which will allow this.
However, there's more to consider than just securing connections by
using SSL. I suggest you take a look at this whitepaper [1] released by
NGSSoftware.
[1] http://www.ngssoftware.com/papers/NISR-BestPracticesInHostURLNaming.pdf
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
- References:
- questions on SSL
- From: s0h0us
- questions on SSL
- Prev by Date: RE: questions on SSL
- Next by Date: Re: help me out
- Previous by thread: Re: questions on SSL
- Next by thread: RE: questions on SSL
- Index(es):
Relevant Pages
|
