Amir Herzberg asked the question of "should login pages be SSL
encrypted". The flurry of discussion can be summerized as "Yes"
with the following details:
1. SSL generates a lot of load. A site administrator should be
concerned over this.
1a. SSL load for a sufficiently large enough site (read:
a site with budget) can be addressed with SSL accelerators.
2. Most people believe that a login page *should* be encrypted
for web sites carrying important data. (e.g., financial, etc.)
3. A few exceptions were raised for sites that don't carry valuable
data (e.g., newspaper sites) since the additional load created
by SSL does not justify the asset that is being protected.
3a. The concern over users using the same login/password
combination was raised. In an unsecured wireless
environment, not using SSL means that even if the site
operator is trustworthy enough not use the login for
personal gain, someone sniffing packets might.
3b. It was universally agreed that user education for
effective usage of passwords is necessary.
4. If a site does use SSL, it is important to use SSLv3 or better.
Apache and most SSL accelerators (ergo, I suspect most other
web servers as well) can be configured to redirect users to a
special landing page if they are using an older version of SSL.
The landing page can provide instructions on how to upgrade
your browser. Many financial institutions do this.
5. The current reality is that most content sites that are not
protecting a valuable asset do not use SSL to protect their
users.
6. You can find Amir's Hall of Shame for sites that should (but don't)
use SSL for access at http://AmirHerzberg.com/shame.html
--
Steve Shah
sshah@RisingEdge.org
