Chances are, if you’re utilizing SSL, you’re not utilizing it to its full potential. SSL is a powerful technology that can help organizations protect their data as well as their users. While the technology behind SSL is solid, the most common best practices for its implementation do not take full advantage of the benefits that SSL brings. And this may be inadequate to provide proper security to the modern web application environment.
SSL Everything:
Protect all of your website,
not just a few parts
Chances are, if you're utilizing SSL, to be interesting, such as passwords you're not utilizing it to its full and credit card numbers. So potential. SSL is a powerful encryption is one of the most technology that can help powerful tools utilized in e-organizations protect their data as commerce. well as their users. While the technology behind SSL is solid, the SSL in practice
most common best practices for its The ability to provide trust and implementation do not take full privacy allows an organization to advantage of the benefits that SSL protect sensitive information. brings. And this may be inadequate Currently, SSL is used primarily to to provide proper security to the protect just a few types of sensitive modern web application information. These include: environment. . Passwords (during login) SSL 101 . Credit card transactions - which To explain, let's first quickly review is a PCI (Payment Card Industry) what SSL technology gives an compliance requirement organization in terms of benefits. These benefits are and Most of what SSL is used for can be trust privacy. classified in one of those two ways. Trust is provided through the use of But is that the only type of sensitive a CA (Certificate Authority), such as data that could benefit from SSL? VeriSign or Thawte. By having your Consider the following: SSL certificate signed by a CA, no .one else can use your domain name Memos on corporate strategy
with SSL without showing some sort (web mail)
of error. . Confidential sales information
Privacy is provided through (CRM)
encryption, which scrambles traffic . Trade secrets (Web portal) so that it is incomprehensible to a .potential eaves dropper. With Session identifiers (in the HTTP
regular HTTP, information such as cookie)
usernames, passwords, credit card With the exception of VPN information are all sent over the technology that may or may not be in Internet in plain-text. Someone place, most of this information isn't could potentially "sniff" this traffic, typically protected in most which is the electronic equivalent of enterprises. It's all done with regular eaves dropping on a conversation. non-SSL HTTP. What's more, this process can be And then think for a moment, what automated so that it can be done isn't data could you send over the unattended. A program Internet that isn't sensitive? That is, automatically sniffs the network, and what data would you not care about pulls out parts that are programmed
2 - - SSL Everything: Protect all of your website, not just a few parts White Paper
if it fell into the hands of competitors If only the initial login and perhaps or the public. credit card transactions are done It could even be that most of your with SSL, that means this session ID data is non-sensitive, but some of it value is sent repeatedly over the will invariably be, so how are you to network "in the clear" (without know what is and what isn't? So why encryption). This makes it relatively not protect it all? easy to eavesdrop this particular data, because there's no privacy. Session Protection So what's the catch? There's another type of data that your users might want protected, So, given the benefits of SSL and although most don't know about it. the nature of much of the data being This type of data is called a "session transferred, why isn't SSL used as cookie". When the web protocol was the default? To answer this developed, it was initially "stateless", question, we need to look at the in that each request was history of SSL and how usage independent of each other. As the developed. web moved from static web pages to When it was first created, the interactive web applications, there primary drawback to SSL was that it needed to be a way to create a required more horsepower in terms relationship between the user and of the server's resources. Encrypting the server, where the web and decrypting is a CPU-intensive application would customize operation. What's more, general responses specifically to that user. purpose CPUs (such as x86 This was done through assigning the processors) are not optimized for this user a session ID, typically in the task. This is still true today, even for form of an HTTP... [download for more]
