I came across ‘How to Deploy HTTPS Correctly’ written by Chris Palmer of the Electronic Frontier Foundation. Chris does a great job explaining why web site operators should use HTTPS versus just HTTP. He points out a couple of good practices that were not previously addressed in my blog post, ‘SSL Deployment Mistakes’:
- Scope sensitive cookies to the secure origin to avoid cookie “leak” to potentially less secure hosts in the same domain.
- Use HTTP Strict Transport Security (HSTS), see my blog post for more details.
Chris concludes, “HTTPS provides the baseline of safety for web application users, and there is no performance- or cost-based reason to stick with HTTP. Web application providers undermine their business models when, by continuing to use HTTP, they enable a wide range of attackers anywhere on the internet to compromise users’ information.”
I wholly endorse Chris’ recommendations and conclusions. If you are in the need of deploying HTTPS, please read his paper. Of course if you need SSL certificates, please contact Entrust.