Site without SSL

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This thread is closed to new posts. You must sign in to post in the forums.

5/11/2008 9:28:16 AM

atwork8

Total Posts 48

View Posts

Site without SSL

Hi there,

One of the mojo sites I'm working on has no SSL support. It will store user details for secured pages, much like this site. How secure is mojo portal without SSL e.g. for logins, keeping user data safe, etc

I used to do a lot with classic asp and none of the login scripts ever used SSL which I thought was strange.

Thanks for any help

5/11/2008 9:38:41 AM

Joe Audette

Total Posts 18439

View Posts

Re: Site without SSL

Reasons to use SSL in ASP.NET are no different than in Classic ASP. When using SSL all packets sent across the wire are encrypted and this protects things like passwords and other secure data being exchanged between the browser and the server as it travels over the wire.

The risks of not using SSL are the same. If someone upstream from the router is able to sniff those packets they can obtain the unsecured payload including password and other sensitive data, whereas if its encrypted then the packets are of little use.

Now the reason you see many sites without SSL is because they don't want to pay for an SSL certificate and if the data would be of little value if stolen then its not as big a problem. I mean if someone manages to breach my little hobby site its not going to impact me as if they breached my bank. But this points out a good reason to not use the same password at your bank as you do at little hobby sites that may not be well secured.

Hope it helps,

Joe

5/11/2008 9:48:04 AM

atwork8

Total Posts 48

View Posts

Re: Site without SSL

Hi Joe,

Thanks for the reply.

I take it then that SSL is really only required for the initial login, as after that the login data is stored on the users computer as an encrypted cookie when using forms authentication. So any future request over http would send the encrypted cookie which if intersepted would be useless?

5/11/2008 9:55:26 AM

Joe Audette

Total Posts 18439

View Posts

Re: Site without SSL

Everthing sent over the wire including cookies is encrypted if using ssl. Even when not using ssl, nothing sensitive is stored in the cookie itself, its just an authentication token. The value in stealing it is not related to its contents but in the possibility of spoofing a priveleged user if you could convince the server that you are that user because you have that cookie. Passwords are never stored in the cookie for example.

In mojoportal, if SSL is available it will automatically use it on login, register, profile pages, but you can also specify to use it on all pages or on a per page basis depending on the nature of your content on those pages and whether it is sensitive data, you may want to use SSL on additional pages.

Hope it helps,

Joe

You must sign in to post in the forums. This thread is closed to new posts.