Saturday, May 14, 2005

IEBlog :

IEBlog :: "Critical Mistake #1: Non-HTTPS Login pages (even if submitting to a HTTPS page).

Most webdevs know that HTTPS is comparatively expensive-- the multistage handshake with multiple roundtrips and cryptographic operations is inherently less performant than straight HTTP. A few years ago, someone got the bright idea that login pages should be served via HTTP to reduce this performance hit. "

This is bad for 2 reasons which are explained in the article, article also goes on to refer to Mixing of HTTP content into HTTPS pages.

No comments: