On Tue, Apr 12, 2011 at 9:44 AM, Ken Schaefer <k...@adopenstatic.com> wrote:
> > > > > *From:* ozdotnet-boun...@ozdotnet.com [mailto: > ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Richard Carde > *Sent:* Tuesday, 12 April 2011 2:46 PM > > > On Sun, Apr 10, 2011 at 12:55 PM, Anthony <asale...@tpg.com.au> wrote: > > Thanks David...i have installed ssl cert etc....most ecommerce system only > use ssl for login and checkout..so was looking for technique to do this... > > I don't understand the rationale for falling back to non-https mode. > IMO, it's bad practice and increases risk to the user - see OWASP Top Ten > 2010 <https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project>risks > A3, A6 and A9. > > > · Usually requires dedicated IPv4 address – of which we have a > shortage > > · Has resource overhead in setting up and maintaining a connection > – there are solutions to this, but they all cost money > > I think you disregarded the part about 'falling back'. If you've committed to securing the login process via SSL then you've used that IP address already. Yes, there's overhead. Yes, you might need more than 1 IP - but only if you need to secure other content to avoid creating issues related to mixed-mode security - fetching non-secure (static) content from other hosts or if you're using a CDN. But isn't your customer's security more important? I would argue that smaller shops would host all content from the same server or reference ssl-enabled CDNs. Larger shops possibly reverse proxy content from a single listener which requires only a single IP address. > > > Cheers > > Ken > -- *Richard Carde*
