tags:

views:

59

answers:

3
Q: 

SSL Linking Strategy In Applications

I'm interested in hearing what others do when, in a given application, some pages need to be secure and others don't. Take any solution off the table that requires a separate domain/subdomain. In this case, all calls, secure or insecure, will link to the same domain. I see a few options:

  1. The ham-fisted, just secure it all approach.
  2. A URI rewrite solution that ensure the pages that need to be secure are accessed via the https protocol and either ignores other pages or, alternatively, forces those to standard http
  3. An application-centric approach where each link is responsible for knowing whether it's pointing and applying the correct protocol. In this solution, all links would have to be fully qualified.
  4. A laissez-fair version of the application-centric approach where links to secure pages are fully qualified and links to other pages are not. In this case, the protocol would be inherited for pages not handled explicitly and inconsequential pages may be accessed via https.

I've used several of these from time to time, but they all have drawbacks. What's everyone else doing in these situations? Is there another path I haven't considered?

UPDATE:

vartec's answer below made me realize that I'd left out one critical piece of information. In my network config, all SSL-handling is taken care of at the load balancer level. The LB, then, communicates with the web server cluster via port 80. As a result, the applications themselves have no idea whether traffic arrived securely. All they see is a port 80 connection.

Thanks.

A: 

I use a mixture of #4 and #2: try to specify absolute URLs where possible when I need to switch protocols, and implement server-side redirection to catch any links I haven't used absolute URLs on (or if someone accesses the URL directly, not by following a link).

In my view, the one essential thing is that the pages which need to be accessed securely (form submissions etc.) are accessed securely, and for that I use Apache's SSLRequireSSL directive. It makes it easy to verify to myself that certain pages will never be accessed except over SSL.

David Zaslavsky  2009-02-25 17:25:00
A: 

I'm for the ham-fisted secure it all approach, but then you took my real solution off the table by (strangely to my mind) excluding domain/subdomain solutions. Errors in securing the site are far more dangerous than a bit of processing overhead.

We have our main site, which is insecure (but mainly marketing) and then we have the application site which is a different subdomain. Simple, easy and effective. Why take that option off the table?

Godeke  2009-02-25 17:25:31
The reason that I took the domain-based approach off the table is that we have limited IPs to work with, so we don't have the option of a separate domain with its own ip just to handle SSL for each site we need to secure.
Rob Wilkerson  2009-02-26 10:47:31
Ah, the port/ip binding problem: you have many sites which will need unique certificates. We wildcard the base domain and clients use subdomains to identify their application, but if your needing distinct domains, that won't work.
Godeke  2009-02-26 16:47:56
A: 

Application centric approach, where controller for each page knows if it has to be secure. If it needs to be secure, but it's accessed via insecure http, redirect to https, passing along all of parameters.

vartec  2009-02-25 17:27:46
Ah, you've hit on something that I neglected to mention (will update in a minute). All SSL handling is done at the load balancer level. The LB, then talks on plain ol' port 80 to the web servers. The applications, then, have no way of knowing whether the traffic came in securely.
Rob Wilkerson  2009-02-26 10:49:31
Isn't the original URL passed along by the LB?
vartec  2009-02-26 11:04:14
The "working" URI itself is forwarded, of course, but not the protocol or original port. LB -> WS communication is strictly http traffic.
Rob Wilkerson  2009-02-26 11:22:48
Well, if the LB configuration doesn't allow appending HTTP headers, then you're right, this won't work.
vartec  2009-02-26 12:03:22

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL