I came across ‘How to Deploy HTTPS Correctly’ written by Chris Palmer of the Electronic Frontier Foundation. Chris does a great job explaining why web site operators should use HTTPS versus just HTTP. He points out a couple of good practices that were not previously addressed in my blog post, ‘SSL Deployment Mistakes’:
Scope sensitive cookies to the secure origin to avoid cookie “leak” to potentially less secure hosts in the same domain. See another paper by Chris for more information.Use HTTP Strict Transport Security (HSTS), see my blog post for more details.
Chris concludes, “HTTPS provides the baseline of safety for web application users, and there is no performance- or cost-based reason to stick with HTTP. Web application providers undermine their business models when, by continuing to use HTTP, they enable a wide range of attackers anywhere on the internet to compromise users’ information.”
I wholly endorse Chris’ recommendations and conclusions. If you are in the need of deploying HTTPS, please read his paper. Of course if you need SSL certificates, please contact Entrust.
Tags: HSTS, HTTPS, STS
This entry was posted on Sunday, December 5th, 2010 at 10:52 pm and is filed under SSL Deployment. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
View the original article here