HTTPS Or HTTP... The War Begins

Yes, I would suspect Google is using SSL to protect people's accounts, not to prevent DDoS/Trojan injections, or whatever else is going on.

Strange, but I guess I've seen stranger things.

Regarding vBulletin, I think they just went to SSL to prevent people's sessions from being hijacked by firesheep over public Wi-Fi. But unless the session cookie is marked secure only, it may not really provide much protection.

It happened to slicehost a while back, their account management pages were secure, but their cookies weren't.
http://forum.slicehost.com/comments.php?DiscussionID=5026
 
I only just got it here when I went to Google today. Hadn't been automatically redirected to Google https before.

It seems that hijacking is getting more complicated than the adage form data type protection...
 
Kier said:
To me, that defeats the point of SSL entirely.

When someone visits an HTTPS page, they see the lock icon and expect you to have certified the content as bona fide. If you have loaded un-inspected third party content via a proxy in order to remove SSL warnings, you break that trust, as you can not assure your visitors that everything they see on that page is safe and provided by you.
Click to expand...


What is the best way to deal with this? Don't allow third party content?
 
gldtn said:
What is the best way to deal with this? Don't allow third party content?
Click to expand...
If you don't want to break https period, then yes, don't allow video or image embedding from a third party website. Ensure everything on your site is hosted by your server only, and all will be well.
 

Similar threads

CTXMedia
Chrome 'Not secure' marker for 2017. Have you moved to HTTPS or will you be doing so anytime soon?
2
Replies
32
Views
4K
CarpCharacin
C
Live Free
Made the move to HTTPS: a few questions ensuring correct implimentation
Replies
0
Views
929
Live Free
Live Free
Back
Top Bottom