Hi, I’m not advocating not using SSL – my personal position is the exact opposite and in accordance with yours.
Previous poster says they don’t understand the rationale – I just pointed out two reasons. With everything in security, it’s about balancing cost vs. risks mitigated. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of David Connors Sent: Tuesday, 12 April 2011 5:12 PM To: ozDotNet Subject: Re: adding ssl to asp.net website On Tue, Apr 12, 2011 at 6:44 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: I don't understand the rationale for falling back to non-https mode. IMO, it's bad practice and increases risk to the user - see OWASP Top Ten 2010<https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project> risks A3, A6 and A9. • Usually requires dedicated IPv4 address – of which we have a shortage • Has resource overhead in setting up and maintaining a connection – there are solutions to this, but they all cost money Every silver lining/good piece of advice has a Ken Schafer cloud. IPv4 address depletion is overrated (current depletion is driven by hoarding and it will be a long time before you see a significant proportion of VPS cost apportioned to a v4 address vs the resources for hosting). The CPU overhead of SSL cryptography is marginal at best unless you have a very busy site in which case the cost an accelerator or front end pool isn't a big issue. Current risks with commoditised/script kiddie RF sniffing etc are probably a bigger risk than the cost of an SSL cert. They are mandatory if you want to maintain PCI compliance. -- David Connors | [email protected]<mailto:[email protected]> | www.codify.com<http://www.codify.com> Software Engineer Codify Pty Ltd Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 189 363 V-Card: https://www.codify.com/cards/davidconnors Address Info: https://www.codify.com/contact
