Re: Should login pages be protected by SSL?

Hello Bob,

I don't totally agree with you, but here are some of my thoughts:

> which IMMEDIATELY has in its root web server's directory an "index.html" file 
> containing:
> <META HTTP-EQUIV="REFRESH" CONTENT="0; URL=https://merch.domain.com";>

Using REFRESH Meta tags, are very unsecure practice, for obvious
reasons. Redirects to HTTPS should always be performed using URL
REWRITEs on the server side.

 
> BTW, in my book (going back to being an uber-paranoidic person), it's never a 
> good idea to have a SECURED web site on the same server that is 
> representative as the company's "front door".  Basically, "www.domain.com" is 
> Domain Web Site, Ink.'s "front door" (so to speak), such that if it is 
> compromised, "merch.domain.com" doesn't loose it's data in the mean time.  
> However, because "merch.domain.com" is on a separate server, this now DOUBLES 
> the threat of data loss, data theft, data contamination, integrity 
> modification, etc.

In a secure environment NO critical data should reside on any
webserver. Everything should go in a ecrypted DB, running on a
seperate machine behind a application level firewall. If you have
secure architecture + design, HTTPS and non-HTTPS websites can safely
reside on the same server.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/