SSL Certificate. For which pages?

2019-06-01 07:58发布

问题:

Which pages need to use a SSL Certificate for a online shop? This site is available just for registered users and the Payment is made using a third party provider. I suppose: login, signup, change password.

Any other recommendation?

回答1:

Use SSL based on which pages send or receive confidential information. Your "About Us" or "Products and Services" pages do not need to use SSL. The pages you mentioned (login, signup, change password) do.



回答2:

Simply make all pages SSL encrypted.

You probably have a session cookie and you never want it to be sent over an unencrypted connection. Besides that, there's no good reason for not using SSL on every single page.

Besides that, it looks odd if the "SSL icon" in the address bar appears and disappears on quite a few page changes.



回答3:

It is important that you use SSL for all the pages. SSL does not only protect against eavesdropping but also ensures that the content cannot be tampered with over the wire. A man in the middle can change whatever he wants if you do not use SSL. Imagine the following scenario:

  • Page A (no ssl): Pretty uninteresting site without secret content. Links to you login page (page B).
  • Page B (ssl): Your login page.

A user requests page A. A man in the middle attack can change the link on page A so that it points at a server he controls, conducting an advanced phishing attack. Your user trusts and follows the manipulated link, because it seems to come from page A. Without SSL your user cannot tell that the server output has been tampered with. With SSL on both pages such an attack would not be possible, as long as your users care about the browser warnings (which, unfortunately, almost no one does).