Pros and cons for using https on a logon page?

Discussion in 'ASP .Net' started by Randall Parker, Dec 4, 2005.

  1. 1) What sorts of scenarios make the possibility of sniffing out a password a higher risk?

    2) Do packets travel unencrypted over 802.11 wireless? Is it easy to sniff such
    packets and catch a submit of a logon web page using http? Wireless strikes me as the
    greatest risk.

    3) Have you used http or https for Logon.aspx pages and why?

    4) Anyone know if IIS on Windows Server 2003 has https built in? Easy or hard to
    configure?

    5) If one uses https does one have to do any different code in the CodeBehind for the
    web page? Or is that all handled in the IIS configuration and Web.config?

    6) How does one redirect from an https logon back to the http page the user logged in
    on? Does the http part show up in the RETURNURL argument?
     
    Randall Parker, Dec 4, 2005
    #1
    1. Advertisements

  2. Randall Parker

    neilmcguigan Guest

    Hi Randall,

    I'd recommend reading this article regarding switching betweeen HTTP
    and HTTPS automatically:

    http://www.codeproject.com/aspnet/WebPageSecurity_v2.asp

    You can install the free SelfSSL as part of the IIS resource kit. Users
    will get a warning that your certificate is not trusted, but the
    connection will be encrypted:

    http://www.microsoft.com/downloads/...ee-a71a-4c73-b628-ade629c89499&displaylang=en

    RapidSSL has pretty cheap trusted SSL certificates:

    http://www.rapidssl.com/ssl-certificate-products/rapidssl/ssl-certificate-rapidssl.htm

    Regarding your questions:

    1. if someone can see a packet going to your server, they can see the
    password if not using SSL.

    2. if using encrypted wireless, then no. But the leg of the trip that
    does not go over encrypted wireless will not be encrypted.

    3. yes. to increase user trust, and to prevent packet sniffing

    4. IIS supports SSL, but you need an SSL certificate.

    5. you won't need to change any code. you can enforce SSL using IIS

    6. see the first link

    Cheers

    Neil
     
    neilmcguigan, Dec 4, 2005
    #2
    1. Advertisements

  3. Randall Parker

    nimd4

    Joined:
    Apr 10, 2009
    Messages:
    1
    Likes Received:
    0
    Location:
    Belgrade, Serbia
    Very, very old thread, eye know!.. However, here are some mo' (affordable) SSL certificates: Comodo, GeoTrust, etc.

    Code (Text):
    https://www.namecheap.com/security/ssl-certificates.aspx
    :)
     
    nimd4, May 17, 2014
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.