SecurityFocus

Should login pages be protected by SSL? Jun 20 2005 04:20PM
Amir Herzberg (herzbea macs biu ac il) (7 replies)

Re: Should login pages be protected by SSL? Jun 21 2005 02:15PM
Saqib Ali (docbook xml gmail com)

Re: Should login pages be protected by SSL? Jun 21 2005 11:40AM
Stefano Di Paola (stefano dipaola wisec it)

Re: Should login pages be protected by SSL? Jun 21 2005 09:14AM
Kalyan Varma (kalyan rtns org)

On Mon, 20 Jun 2005, Amir Herzberg wrote:

> Here is a simple question: should web login forms be always protected by SSL?

Depends.

If you have a site with high traffic, then the SSL load will hurt your
server. For every SSL request, you can handle more then 5 non-SSL
requests. Are you ready for that perfomance tradeoff ?

Most of the sites are moving to challenge-response based login system.
This is non-SSL and IMHO quite secure. I think having a SSL login page
makes sense, but your site could default to the challenge-response based
login page the way sites like Yahoo do it and give an option for a SSL
based page.

However if you are a bank etc, then SSL all the way makes sense.

- Kalyan

[ reply ]

Re: Should login pages be protected by SSL? Jun 21 2005 06:28AM
bluewizard83-de4gahsh yahoo com

Re: Should login pages be protected by SSL? Jun 21 2005 12:42AM
Andy bentley (andy bentleyconsulting biz)

Re: Should login pages be protected by SSL? Jun 21 2005 12:23AM
Michael Silk (michaelslists gmail com)

Re: Should login pages be protected by SSL? Jun 20 2005 11:41PM
Andrew van der Stock (vanderaj greebo net)