Sunday, May 22, 2011

Myths about SSL Certificates


I saw this article in HTTP watch blog post and being working in SSL procurement and consulting space i am sure to say that SSL is still a mystery ground for lot of people. When it comes to SSL Myths comes to effect than facts..some of their Myths are

Myth #1 – My Site Only Needs HTTPS for the Login Page

This is a commonly held view. The theory being that HTTPS will protect the user’s password during login but HTTPS is not needed after that.
The recently released Firesheep add-on for Firefoxdemonstrated the fallacy of this approach and how easy it is to hi-jack someone’s else session on sites like Twitter and Facebook.
The free public WiFi in a coffee shop is an ideal environment for session hi-jacking because:
  • The WiFi network doesn’t normally use encryption so it’s very easy to monitor all traffic
  • The WiFi network probably uses NAT through a single IP address to access the internet. This means that a highjacked session appears to come from the same network address as the original login

Myth #2 – Anything can go in Cookies and Query Strings with HTTPS

Myth #3 – Each HTTPS Site Needs its Own Public IP Address

Myth #4 – SSL Certificates are Expensive

If you shop around you can find SSL certificates for about $ 10 a year or roughly the same cost as the registration of a .com domain for a year.

Myth #5 – HTTPS Never Caches

People often claim that HTTPS content is never cached by the browser; perhaps because that seems like a sensible idea in terms of security. In reality, HTTPS caching is controllable with response headers just like HTTP.

Myth #6 – New SSL Certificates Have to be Purchased When Moving Servers or Running Multiple Servers