Re: Should login pages be protected by SSL?

How about using forwards instead of redirects? these are server side so safer?
If a transaction is over multiple domains why not use web services and SAML.
or am i barking up the wronk tree?



On 22/06/05, Saqib Ali <docbook.xml@gmail.com> wrote:
> Hello Bob,
>
> I don't totally agree with you, but here are some of my thoughts:
>
> > which IMMEDIATELY has in its root web server's directory an "index.html" 
> > file containing:
> > <META HTTP-EQUIV="REFRESH" CONTENT="0; URL=https://merch.domain.com";>
>
> Using REFRESH Meta tags, are very unsecure practice, for obvious
> reasons. Redirects to HTTPS should always be performed using URL
> REWRITEs on the server side.
>
> > BTW, in my book (going back to being an uber-paranoidic person), it's never 
> > a good idea to have a SECURED web site on the same server that is 
> > representative as the company's "front door".  Basically, "www.domain.com" 
> > is Domain Web Site, Ink.'s "front door" (so to speak), such that if it is 
> > compromised, "merch.domain.com" doesn't loose it's data in the mean time.  
> > However, because "merch.domain.com" is on a separate server, this now 
> > DOUBLES the threat of data loss, data theft, data contamination, integrity 
> > modification, etc.
>
> In a secure environment NO critical data should reside on any
> webserver. Everything should go in a ecrypted DB, running on a
> seperate machine behind a application level firewall. If you have
> secure architecture + design, HTTPS and non-HTTPS websites can safely
> reside on the same server.
>
> --
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/