Re: Should login pages be protected by SSL?

[Steve Shah <sshah () risingedge org>]

On Mon, Jun 20, 2005 at 05:16:46PM -0700, maburns () safenet-inc com wrote:
> The login page cannot be protected by SSL until after the authentication is
> complete. 

This is not true. You can start an SSL session at any point, including
the login page itself. As Andrew said in an earlier post, this is a
good practice if you're dealing with sensitive data. 

> Once the user is authenticated then all information sent between
> the server and remote user is in a ssl encrypted tunnel until the session is
> ended. Again the value of the token is it is a "physical device" and must be
> present on the users computer for the login to be successful. SSL VPN

I'm not clear on where the SSLVPN advertisement fits into this 
conversation, but 2-factor, SSLVPN, and the use for SSL for encrypting
login pages are all independant variables. An administrator does not
need SSLVPN to secure their web site. 

Somewhat related (but reaching) is the topic of SSL acceleration for
sites that have higher volumes of SSL traffic. There are several
vendors that offer this technology, Google for "ssl acceleration"
for a list.

-Steve

-- 
Steve Shah
sshah () RisingEdge org