Posted on 02/11/2005 1:20:19 PM PST by rudy45
I have come across several web pages that do nothing but display information. These pages, however, are SSL-encrypted. That is, their address begins https rather than http, and I see the little padlock icon at the lower right.
I could understand the encryption if the page were asking for confidential/personal information. However, the web pages in this case don't do so. What is the reasoning behind the encryption, therefore? What is the downside, in addition to (?) slower performance (?).
Thanks.
Have you tried to access the same page after deleting the s from https in the address line? A lot of sites that use SSL don't limit what pages can be requested using SSL and therefore you can wind up accessing the entire site through SSL.
Thanks for the idea. I deleted the "s", hit (enter), and found that the page refreshed and put the "s" back in.
It's "no skin off my nose," but I am just curious why someone would design a website this way. Am I correct that unnecessary SSL encryption can slow down performance in accessing the page? Why else would someone do it?
If you look e.g. at www.vanguard.com, you will see that some pages are http (general information) and some are https (the one that asks for user login).
Maybe the designers of the other pages are just careless, and put SSL in unnecessarily?
Can you give us a URL of a page that is using SSL encryption unnecessarily?
Most browsers will (should) poup a warning when you go from a SSL page to non-SSL. Encrypting all pages, even if they don't need it, keeps the user from having to dismiss the popup as they move around.
Ha, I should have done it before.
https://acadtech.gwu.edu/
Notice all they do is display links to offices, staff etc. I do not see any input forms for personal/confidential data.
Ha, I should have done it before.
https://acadtech.gwu.edu/
Notice all they do is display links to offices, staff etc. I do not see any input forms for personal/confidential data.
Perhaps the owners of the page want to prevent IP hijacking and spoofing.
Thanks. Could you elaborate? I appreciate it.
//Thanks. Could you elaborate? I appreciate it.//
There are ways to hack IP routing so that requests which are supposed to go to one computer go instead to a different one. There have been countermeasures installed on much of the net, but there are probably still some pretty big security holes.
In order for your computer to initiate an https connection to www.somethingorother.com, the owner of somethingorother.com has to contact VeriSign or some other agency to receive a digitally-signed key that the site can use for communication. Unless VeriSign gives such a key to someone who is not authorized to use it, it will be impossible for someone to produce a squawk-free spoof site (unless they can break the associated cryptography or otherwise obtain a signed key). Anyone trying to connect to the spoof site would receive a warning that the site's https: information could not be validated.
If I understand you, I believe you are saying that SSL encryption does more than ensure the security of information that is passed between systems. It also ensures that the site I want to connect to IS that site.
In that case, even though my site does nothing but display information, I would want to make sure that no one puts up a fake site to imitate mine, then redirect people to that fake site to give them wrong information?
Thanks.
Precisely.
You are a GENIUS lol
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.