@ http://hackersmag.blogspot.com [30/03/2011]
http://hackersmag.blogspot.com/2011/03/full-site-ssl-ification-is-not-option.html
Full Site SSL-ification is not an option, need to make SSL secure first
I have heard (Recently and in past) security aware lives wasting a lot of their potential over the argument like
+ ‘Basic HTTP is insecure‘ {sometimes in novice past}
+ ‘SSL-ify entire web service‘ {still a lot push is there}
Now, ‘Basic HTTP’ being insecure is not a flaw by design… but a flaw by choice.……….
Though it has been haunting the websites by attacks like
+[] SSL Stripping:
It’s due to……….
+[] Sidejacking:
It occurs……….
……….
Then, ‘Full Site SSL-ification’ is a good choice from theoretical security point-of-view, but just in theory.
Different SSL-Defeating attacks involving
+[] Flaws in Libraries like NSS:
There was a……….
+[] Fake SSL Certificate generation:
Not a flaw……….
……….
So, if you will look deeper into serial-murder case file of SSL Certificates, you’ll see it ain’t safe…
and so there is no point in argument over its mixed/full implementation.
…click here to read in detail