Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where should you enable SSL?

My last couple of projects have involved websites that sell a product/service and require a 'checkout' process in which users put in their credit card information and such. Obviously we got SSL certificates for the security of it plus giving peace of mind to the customers. I am, however, a little clueless as to the subtleties of it, and most importantly as to which parts of the website should 'use' the certificate.

For example, I've been to websites where the moment you hit the homepage you are put in https - mostly banking sites - and then there are websites where you are only put in https when you are finally checking out. Is it overkill to make the entire website run through https if it doesn't deal with something on the level of banking? Should I only make the checkout page https? What is the performance hit on going all out?

like image 642
Paolo Bergantino Avatar asked Sep 20 '08 07:09

Paolo Bergantino


1 Answers

I personally go with "SSL from go to woe".

If your user never enters a credit card number, sure, no SSL.

But there's an inherent possible security leak from the cookie replay.

  1. User visits site and gets assigned a cookie.
  2. User browses site and adds data to cart ( using cookie )
  3. User proceeds to payment page using cookie.

Right here there is a problem, especially if you have to handle payment negotiation yourself.

You have to transmit information from the non-secure domain to the secure domain, and back again, with no guarantees of protection.

If you do something dumb like share the same cookie with unsecure as you do with secure, you may find some browsers ( rightly ) will just drop the cookie completely ( Safari ) for the sake of security, because if somebody sniffs that cookie in the open, they can forge it and use it in the secure mode to, degrading your wonderful SSL security to 0, and if the Card details ever get even temporarily stored in the session, you have a dangerous leak waiting to happen.

If you can't be certain that your software is not prone to these weaknesses, I would suggest SSL from the start, so their initial cookie is transmitted in the secure.

like image 118
Kent Fredric Avatar answered Oct 25 '22 02:10

Kent Fredric