tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <kpreis...@apache.org>
Subject RE: Restricting SSL access within webapp
Date Sat, 02 Aug 2014 11:58:23 GMT
Hi,

> -----Original Message-----
> From: John Smith [mailto:tomcat.random@gmail.com]
> Sent: Friday, August 1, 2014 11:43 PM
> To: Tomcat Users List
> Subject: Re: Restricting SSL access within webapp
> 
> On Fri, Aug 1, 2014 at 4:34 PM, Caldarale, Charles R <
> Chuck.Caldarale@unisys.com> wrote:
> 
> > > From: John Smith [mailto:tomcat.random@gmail.com]
> > > Subject: Restricting SSL access within webapp
> >
> > > What's the correct way to selectively restrict https to only one area of
> > a webapp?
> >
> > Why would you want to do that?  Other than a few extra server CPU cycles,
> > what's the harm in allowing SSL anywhere at the client's discretion?
> >
> >  - Chuck
> >
> 
> From the docs:
> 
> Also, while the SSL protocol was designed to be as efficient as securely
> possible, encryption/decryption is a computationally expensive process from
> a performance standpoint. It is not strictly necessary to run an entire web
> application over SSL, and indeed a developer can pick and choose which
> pages require a secure connection and which do not. For a reasonably busy
> site, it is customary to only run certain pages under SSL, namely those
> pages where sensitive information could possibly be exchanged.
> 
> Unfortunately how to do this isn't explained. I might use a filter. Our
> site handles 500,000 visitors a day on two TC instances. Believe me, I need
> to consider performance costs.


Note, that putting a complete website on SSL (and not only parts of it) can help protecting
users from SSL Stripping attacks: This is where an Man-In-The-Middle manipulates the HTTP
traffic, so that all references to HTTPS (e.g. a Link to a "Login" form) are substituted by
HTTP ones, so that when the user goes to a part of the website which should be accessed over
SSL, he accesses it over plain HTTP so the attacker can intercept all traffic (assuming the
user doesn't know if the login part of this particular website should only be accessed over
HTTPS and not HTTP).

Therefore, I think it’s a good practice (at least for security-sensitive sites and if the
users are not so technologically adept to know to access e.g. the Login page only over HTTPS)
to use SSL for the whole website, not only for a part of it. Additionally, HTTP Strict Transport
Security [1] will help to prevent that the user accidentally views a website over HTTP instead
of HTTPS, and requires that the whole website uses SSL.


Regards,
Konstantin Preißer


[1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message