Mobile app version of vmapp.org
Login or Join
Carla537

: Should every page on every site be behind SSL? This question stemmed from a discussion here: Ad networks that will serve via HTTPS? My question to the OP was "is it necessary to have every

@Carla537

Posted in: #Https

This question stemmed from a discussion here: Ad networks that will serve via HTTPS?

My question to the OP was "is it necessary to have every page behind SSL?" Admittedly at the time of posting this question, the OP hadn't got back to me to let me know what kind of site he had, was everything behind a login etc etc

I agree that if everything was behind a login then yes, it should also be protected by an SSL certificate, but if (for example) the site was a wordpress blog, would it be necessary for the parts of the site that were just going to be viewed by your average user (i.e. one that's not logged in) to be accessed over HTTPS. Admittedly, if you were logged in and viewing the "front-end" of the site, it would send over your cookie, but as long as you took precautions against that then it should be ok, right?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Carla537

1 Comments

Sorted by latest first Latest Oldest Best

 

@Angela700

If you took precautions to never visit the non-SSL areas of a site while logged in, and if there was a logout process that properly deleted the authenticating session cookie, then it should be fine. Of course, the more admin-level users you have, the greater the chance that this will never happen.

A more ideal way to do this, for the Wordpress example: move (not copy) /wp-admin to a different domain under HTTPS. That way, you won't have to worry about logging out to make sure your new post got published okay, because cookies are per domain. A cookie for admin.mysite.tld won't be in the request headers for mysite.tld, so there's nothing unencrypted to be sniffed and hijacked.

(Granted, if it's a single-author/admin Wordpress site, just tunneling through a VPN when accessing it over a wi-fi hotspot would have the same effect, without the mess of tweaking WP to work across two domains.)

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme