> changing customer information where I care if the data is
> encrypted over the net. I currently only use https: for
> these related pages.
>
> Should I be concerned about sending ordering information
> (only last 4 digits of Credit Card), customer addresses and
> customer-specific pricing outside of SSL?
If that order data isn't sensitive, you don't need SSL to protect it.
However, while it may not be a concern from a technical perspective, it
might be from the perspective of your customers, who simply know to look for
the "lock" icon whenever they're doing anything sensitive.
> Does SSL add enough overhead where this should concern me?
> If it doesn't, why not just keep the entire log-in session
> https:?
SSL does add significant overhead. If you plan to make heavy use of SSL,
consider offloading SSL processing to hardware. You can get SSL hardware
acceleration with many server NICs, and with external boxes that you might
also use for load balancing.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
