« Snakes In Your Website
Three Ways to Improve Every Visitor’s Experience »

On The Importance of SSL

There’s a security article making the rounds today (”Look at all these passwords“) that shows the unencrypted content of several major website login screens.  These included a couple of relatively unknown places as well as major sites like Amazon.com and ClassMates.com.  The gist of the article is this: these sites should require all users to authenticate against SSL encrypted login forms.

OK, I can hear you say, but does this really represent a significant security threat?  Do I really need to worry about this for my business’ website?

The short answer: Yes, you need to worry about because getting these passwords is fairly simple.  If you read through the comments on the article, they pretty much tell you how to harvest a significant number of user passwords without a lot of effort.

So, as a website operator, what is your responsibility?

First, make sure you have an encrypted login section and that you require your users to use it.  The days when a significant number of users couldn’t login via SSL are gone.  Forcing everyone to go SSL is quick and easy.

Second, once you have the encrypted login section, make sure you’re submitting the form as an HTTP POST request and not an HTTP GET request.  What’s the difference?  In a GET request, data sent as part of your request to the server is encrypted as part of the address.  Even when you have an SSL connection, the address cannot be encrypted so all data, including the username and password, is visible.  In a POST request, the data is sent as a separate part.  When you have an SSL request, this second part is also encrypted and you data are safe.

Finally, as a website operator you need to store your user’s credentials in something other than plain text.  You have a lot of choices with this one but your goal is simple.  In the event your database is compromised, you want to make sure your users’ information isn’t easy to get at.

The article discussing this is pretty interesting and doesn’t require any special knowledge to understand.  Definitely worth taking a look at.

This entry was posted on Tuesday, August 22nd, 2006 at 7:07 am and is filed under Articles. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Return to FastWebUpdates.com Blog Home

One Response to “On The Importance of SSL”

  1. TeamClock.com Features, Requests and a Whole Lot More. » Blog Archive » Why All This SSL Says:
    August 22nd, 2006 at 7:16 am

    […] It’s just a precaution against other users sniffing out your information which is easier than you think.  See On the Importance of SSL and Look at all These Passwords for more information than you’d really like on the subject. So my question is this: why do these other services charge extra for SSL? […]

Leave a Reply

You must be logged in to post a comment.