Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Should login pages be protected by SSL?
From: Steve Shah (sshahrisingedge.org)
Date: Mon Jun 20 2005 - 22:32:41 CDT
On Mon, Jun 20, 2005 at 05:16:46PM -0700, maburnssafenet-inc.com wrote:
> The login page cannot be protected by SSL until after the authentication is
This is not true. You can start an SSL session at any point, including
the login page itself. As Andrew said in an earlier post, this is a
good practice if you're dealing with sensitive data.
> Once the user is authenticated then all information sent between
> the server and remote user is in a ssl encrypted tunnel until the session is
> ended. Again the value of the token is it is a "physical device" and must be
> present on the users computer for the login to be successful. SSL VPN
I'm not clear on where the SSLVPN advertisement fits into this
conversation, but 2-factor, SSLVPN, and the use for SSL for encrypting
login pages are all independant variables. An administrator does not
need SSLVPN to secure their web site.
Somewhat related (but reaching) is the topic of SSL acceleration for
sites that have higher volumes of SSL traffic. There are several
vendors that offer this technology, Google for "ssl acceleration"
for a list.