SSL what is it

[ianjofriel]

regardless of whether the content is in the same directory, different directories, different servers or different continents, it's the concept of the trasnmission of non-encrypted data in to an SSL page that is the issue. It's like mercedes making a car with a state of the art biometric key, and using clingfilm for one of the windows.

If you add a non-SSL object into a https page, it is transferred over the wire as unencrypted, and is open to man in the middle attacks, why else do you think browsers warn people they are viewing pages with mixed content ?

I've set up many SSL sites as well, also, having support Cisco kit on a large enterprise level, i've had a fair bit of exposure of IPS, which are there to prevent people using poor practise like this for MITM attacks,

[vittu]

to be honest, Im quite enjoying this debate,
its obvious that you both have a lot of experience, and debates like this do benifit the forum,

aslong as you both realise its just a difference of opinion, and dont take this as personal (which I dont think you both will )

anyway, please continue, this is quite a good thread 

[scotserve]

regardless of whether the content is in the same directory, different directories, different servers or different continents, it's the concept of the trasnmission of non-encrypted data in to an SSL page that is the issue. It's like mercedes making a car with a state of the art biometric key, and using clingfilm for one of the windows.

The directory structure does matter - Ok if I ask you a question ? if I have a site called for example www.somedomain.com  and I access the page using https://www.somedomain.com/index.php how can i pull in non secure data from the same domain ?
1) if i do a full http:// link to the data
2) if i access again via http and us http://somedomain.com ( without the www as it is only the www.somecomain.com that is encrypted)
Both of the above would be bad coding and would result in security warnings on a fully SSL enabled site anyway

With the data all in one directory structure and accessed at apache level there is no way to pull in non-secure data from the same domain except with the above stupid coding which like i say would result in warnings of a fully enable SSL site as well

I am not arguing about your point of data mix only your point of  a site being of benefit if it is fully SSL enabled as IMO it makes zero difference on current servers (with the improviso that it has not been coded by a muppet), but marginally increases overheads and interferes with any tracking software that monitors port 80.

 

[ianjofriel]

well lets just hope everyone wakes up tomorrow knowing how to write php and ASP or whatever... we should all be ok to remove our malware scanners, etc by tomorrow evening.

So what's required in becoming a reseller then, technical knowledge or do you just become an affiliate that pays them money ?

[scotserve]

well lets just hope everyone wakes up tomorrow knowing how to write php and ASP or whatever... we should all be ok to remove our malware scanners, etc by tomorrow evening.

So what's required in becoming a reseller then, technical knowledge or do you just become an affiliate that pays them money ?

Ok make it as personal as you want I wont descend down to that level and stick to the points, but you still aint answered the question of what benefit a fully enabled SSL would be - if its bad coding you are worried about it would still be apparent in a fully enabled site as it would in a site part enabled for customer data entry.

[ianjofriel]

well lets just hope everyone wakes up tomorrow knowing how to write php and ASP or whatever... we should all be ok to remove our malware scanners, etc by tomorrow evening.

So what's required in becoming a reseller then, technical knowledge or do you just become an affiliate that pays them money ?

Ok make it as personal as you want I wont descend down to that level and stick to the points, but you still aint answered the question of what benefit a fully enabled SSL would be - if its bad coding you are worried about it would still be apparent in a fully enabled site as it would in a site part enabled for customer data entry.

?? I wasn't making in personal, I was genuinely asking what was involved in being a SSL reseller, you cited it in your previous posting ?

Your making an assumption that everyone who would use an SSL cert uses 100% bona-fida code they can guarantee stays in the local domain and there are no relative URLs

The main benefit of having a full SSL site... redirect http traffic to https and every packet in and out between client and server is crypto'd and using the advantage of an SSL cert, and does not leave scope for intermediate attacks.

Even at a consumer level, they will be more at ease seeing the familiar little padlock and not having any security warnings popup.

The original post has no impact on my day to day activity and I was merely trying to add some input, a bit of gentle debate never hurt anyone, so if you have mis-interpereted any of it as a personal attack, then please accept my apologies. At the end of the day, I know what works for me and what works for my customers and I was only passing some of that knowledge on in good will.

[scotserve]

?? I wasn't making in personal, I was genuinely asking what was involved in being a SSL reseller, you cited it in your previous posting ?

2 days product training 15 years experience on a practical level
I am not interested in the nitty gritty integration between Apache and SSL - I am only interested in what works and how to set it up - no doubt you could flannel me with technicalities but i have currently around 100 certs active and over the past 15 years probably done in excess of 1000 I may not be a BSc in computing but i know what works and how to set it up.

Your making an assumption that everyone who would use an SSL cert uses 100% bona-fida code they can guarantee stays in the local domain and there are no relative URLs

The main benefit of having a full SSL site... redirect http traffic to https and every packet in and out between client and server is crypto'd and using the advantage of an SSL cert, and does not leave scope for intermediate attacks.

Makes no difference at a practical level - if someone is using bad code then it shows up on both a fully enabled site as it would on a part enabled site in fact has far more chance of showing up on a full site than it does on a part site. If you are calling via https you cannot call a non secure object from the domain directory, i.e. if you are calling  an https page then as long as the data is on the server in a relative path it is crypto'd, calling a product description page on SSL is a waste no matter how marginal the overhead increase is IMO.

Having said that and you are on an old server structure where https and http traffic is stored in different directories then I can see your point as you need to ensure all data is duplicated in both directories and you dont make a call from the http directory into an https page, but this no longer is an issue for most servers, historically maybe but not now.

Even at a consumer level, they will be more at ease seeing the familiar little padlock and not having any security warnings popup.

Of course they will but having a part enabled v's full makes no difference thats the part of you argument i cannot see - if I am wrong I'm willing to admit it but nothing you have said so far IMO makes any difference

The original post has no impact on my day to day activity and I was merely trying to add some input, a bit of gentle debate never hurt anyone, so if you have mis-interpereted any of it as a personal attack, then please accept my apologies. At the end of the day, I know what works for me and what works for my customers and I was only passing some of that knowledge on in good will.

Same here Ian been doing it for years have no problem with clients showing non secure items in secure pages other than the odd numpty who sticks an external non secure link in place but like i say that would affect a full SSL site as well.

<quick edit to fix the quote marks>