Home page logo
/

basics logo Security Basics mailing list archives

Re: questions on SSL
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Fri, 14 Nov 2008 18:07:04 +0100

On 2008-11-14 s0h0us () yahoo com wrote:
I'm lookig for some comments regarding using SSL to encrypt
connectivity to entire website as opposed to just certain critical
connections such as an online banking link at a financial
institutions. is this a more common practice now? Bandwidth wouldn't
seem to be as big an issue as it was in the past with dialup
connections.

Bandwidth isn't so much an issue as CPU consumption. Having to encrypt/
decrypt connections will put considerably more load on the server.
Moreover, encryption has no value in itself. It has a value only when
it's used to protect something from a threat (e.g. guarantee the
integrity of data transmitted between client and server).

However, SSL is not only for encryption, but will also guarantee the
authenticity of the website. If you want to ensure that, then you may
still want SSL, even if you don't actually need encryption.

Can one SSL certificate be used to encrypt multiple links originating
from the same site:
https://x.domain.com
https://y.domain.com

You can get wildcard certificates (*.example.com) which will allow this.
However, there's more to consider than just securing connections by
using SSL. I suggest you take a look at this whitepaper [1] released by
NGSSoftware.

[1] http://www.ngssoftware.com/papers/NISR-BestPracticesInHostURLNaming.pdf

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]