SSL Question Again

[bgreenhouse]

Hi everyone

I asked a question earlier about SSL. I'm new to SSL, but I am coding pages that will be deployed on a SSL server. Is there anything I need to do differently on the front end, or is it just automatically secure if the server is configured right?

All the web tutorials I find seem to be on how to configure you server, so I am presuming that is the main step, but I amnot sure. Any suggestions?

Ben

 

[rycamor]

In general, yes, SSL is transparent to the actual content of your web pages. However, there are still some things to think about:

1. Any other content that you link to can still be insecure. For example, if you have a frameset that is in an https:// URL, but one of the individual frames is referred using the standard http:// URL, then that frame is not secure, even though the code in your frameset *is*. This can also happen when using an image SRC="

http://etc.."

attribute (usually not a big deal), or a <script Language=&quot;javascript&quot; SRC=&quot;

http://etc...&quot;>

(can be a very big deal). If you use relative links instead of hard links, then that is not a problem. Also, most browsers will alert you if a secure page refers to non-secure sources.

2. You still have to take the same security precautions as in a normal website, meaning that your HTML or Javascript source should not contain any sensitive data that the viewer could use to later hack your site.

3. Think carefully about the data that you are allowing to display on the URL query string, because the same precautions as with HTML source apply here.

My point about items #2 and #3 are that even though SSL keeps outside hackers from eavesdropping on your users, you also should not implicitly trust your users, except where absolutely necessary, because you can never be sure who the user is. (even if you have a password-protected area, how can you be so sure a hacker hasn't guessed a password?)