Video Screencast Help
Website Security Solutions

US Senator calls for extension of full https coverage

Created: 28 Feb 2011 • Updated: 18 Dec 2012
Tim Callan's picture
0 0 Votes
Login to vote

The SSL blog has covered the progress in adoption of full https coverage on popular web sites such as gmail and Facebook. By extending SSL coverage for the entirety of a user's session, not just the login screen, the site can defeat new attacks such as Firesheep which will make it possible for man-in-the-middle attacks to harvest potentially damaging information from sessions that otherwise would appear to be safe for the average user. The latest installment in this story came yesterday when New York Senator Charles Schumer called on Amazon, Twitter, and other popular sites to protect their entire experience under https. In July 2010 Google famously published that https was no longer computationally intensive. While there has been some debate on exactly what the definition of computationally intensive should be, that discussion has a strong tendency to miss the fundamental point that comprehensive SSL support is necessary in order to ensure security. If we were talking about a zero day vulnerability, organizations would be updating their code and applying patches as soon as they conceivably could. That's the basic situation we have with unsecured http pages on social sites, and the purveyors of these sites should treat this need with equal gravity. Ultimately any site should protect its entire session if it offers or uses:

  • Financial information
  • E-mail or messaging
  • Social interactions with friends or trusted links
  • Personally identifiable information
  • Any information that might be private or sensitive