Re: [users@httpd] Re: HTTPS only for login page (when apache front tomcat)

[Krist van Besien <kr...@gmail.com>]

On Thu, Apr 22, 2010 at 1:38 PM, Nicholas Sherlock <n....@gmail.com> wrote:
> On 22/04/2010 5:29 p.m., Krist van Besien wrote:
>>
>> Just consider the following:
>> - You direct a user to a login form. He enters username and password,
>> gets authenticated and receives a session cookie from the server.
>> - This session cookie is sent with each subsequent request, so that
>> the requests can be associated with an authenticated user.
>> - Someone intercepts this cookie by eavesdropping on the line. With
>> this cookie this person can now impersonate the user without knowing
>> the user's username or password...
>
> Very true. However, it does protect the user's username and password. A
> large proportion of users use the same password for everything online. You
> don't want a login sniffed from your site to be used to breach the user's
> bank account.

There is in my opinion no good reason not to have https for the whole
session. The "performance" argument doesn't really apply anymore in a
time that you can buy several webservers for the cost of employing one
webserver specialist for a day...

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: HTTPS only for login page (when apache front tomcat)

[Tom Evans <te...@googlemail.com>]

On Thu, Apr 22, 2010 at 2:04 PM, Krist van Besien
<kr...@gmail.com> wrote:
> There is in my opinion no good reason not to have https for the whole
> session. The "performance" argument doesn't really apply anymore in a
> time that you can buy several webservers for the cost of employing one
> webserver specialist for a day...
>
> Krist
>

Spoken like a true European (No offence, I'm one too :)

For many of the users of our (commercial) systems, if we forced SSL
on, then a good proportion of our customers would not renew next year.
SSL on is irrefutably a slower user experience than with it off;
common resources cannot be cached, apart from on the local machine
(and even then, many browsers won't). It vastly increases response
times, as each connection must be set-up and teared-down, with all
that lovely TLS forward and back.

For users geographically remote, or with other high latency internet
connections, or with old/slow computers, your website just became more
unpleasant to use. The more unpleasant to use your site is, the less
people use it. The less people use it, the less willing they will be
to pay for it.

In Europe (probably US now too) now we seem to assume a couple of things:
1) Any site we connect to will be less than 200ms away
2) We've got at least 2Mbit of bandwidth available
3) Any user will have a fast modern computer, with a big screen.

For a lot of the world, at least one of those things will be incorrect.

Using SSL to protect login prevents usernames and passwords passing in
clear text. There are other methods you can use to mitigate session
stealing.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org