Mobile app version of vmapp.org
Login or Join
Bryan171

: Your friend is right. Cookies are sent with every request, even for things like images, so you have to make sure everything is being sent securely if the cookies are sensitive. The browser

@Bryan171

Your friend is right. Cookies are sent with every request, even for things like images, so you have to make sure everything is being sent securely if the cookies are sensitive.

The browser warnings only occur when there's a problem with the server's certificate. The most common problems are an expired certificate, an improperly configured certificate (i.e. trying to use the same non-wildcard certificate for multiple domains), or a certificate that hasn't been issued by a trusted certificate authority (Comodo, Thawte, Geotrust, etc).

When HTTPS is used, there is an overhead. There's a "handshake" that occurs at the beginning of a connection that takes a fraction of a second, and there is slightly more processor load. This used to be an issue when folks were on dial up connections and CPUs were slow. Now, this isn't a determining factor, and you shouldn't see more than a few percent increase in CPU load. Processor time is cheap now. These performance issues are negligible.

I don't know whether the internet is going all-encrypted. Perhaps. You only need to provide encryption when personal details, including cookies that will log a user in automatically (they're the equivalent of a username/password, albeit somewhat more ephemeral). If the cookies aren't sensitive, and no private details are being transmitted over the wire, encryption isn't mandatory.

I doubt eBay, Amazon, et al are vulnerable to session hijacking. You'll also note that these sites will prevent users from doing special things like updating their passwords, making payments, etc without the user providing their a password again. Session hijacking is only a problem if a malicious user can do something bad, otherwise, a session cookie is worthless.

SSL should be used for anything sensitive. If it's sensitive, encrypt. If it's not, cleartext is okay. Encryption isn't a panacea, but a piece in your security strategy.

10% popularity Vote Up Vote Down


Login to follow query

More posts by @Bryan171

0 Comments

Sorted by latest first Latest Oldest Best

Back to top | Use Dark Theme