[Techtalk] implementing HTTPS-only sitewide

Wim De Smet kromagg at gmail.com
Tue Sep 11 08:34:07 UTC 2012


Which reminds me to point out that if you do URL rewriting at the
application level you should make sure your server never sets cookies
over a non-secure connection, and that it sets the secure attribute on
cookies so that a browser connecting over HTTP will not transmit the
cookie in cleartext. Even if you use HTTPS only, you might still be
leaking if you don't do that.

regards,
Wim


On Mon, Sep 10, 2012 at 10:25 PM,  <adric at adric.net> wrote:
> On 09/05/2012 08:47 PM, chris wrote:
> Hi,
> To redirect the entire site, you could use a
> redirect   Redirect permanent /
> https://subdomain.domain.com/  However, SSL can be slow
> so I wouldn't run an entire site over SSL unless it was
> necessary or had low traffic.  [snip ap[ache configs]
> hope that helps
> chris
>
> This is a good idea for performance and sanity but there are
> security concerns to having HTTP and HTTPS content on the
> same site.  Last year's BEAST attack tool takes
> advantage of that, for instance, and there are some
> cross-site scripting, session stealing, and other
> malfeasance made easier by having secure and insecure
> content both.
>
> Security experts have been urging the big site providers to go
> all-SSL for some time and they are reluctantly following this advice
> after the hullabaloo over Firesheep. Google has been big on
> pushing ahead with this.
>
> BEAST: http://vnhacker.blogspot.com/2011/09/beast.html (links about
>   BEAST abound, no ref to HTTP usage in any..)
> Firesheep: http://codebutler.com/firesheep?c=1 (home page)
> Google blog:
> http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html
>
> hth,
> adric
>
>
>
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk


More information about the Techtalk mailing list