I saw this article in HTTP watch blog post and being working in SSL procurement and consulting space i am sure to say that SSL is still a mystery ground for lot of people. When it comes to SSL Myths comes to effect than facts..some of their Myths are
Myth #1 – My Site Only Needs HTTPS for the Login Page
This is a commonly held view. The theory being that HTTPS will protect the user’s password during login but HTTPS is not needed after that.The recently released Firesheep add-on for Firefoxdemonstrated the fallacy of this approach and how easy it is to hi-jack someone’s else session on sites like Twitter and Facebook.The free public WiFi in a coffee shop is an ideal environment for session hi-jacking because:
- The WiFi network doesn’t normally use encryption so it’s very easy to monitor all traffic
- The WiFi network probably uses NAT through a single IP address to access the internet. This means that a highjacked session appears to come from the same network address as the original login
Myth #2 – Anything can go in Cookies and Query Strings with HTTPS
Myth #3 – Each HTTPS Site Needs its Own Public IP Address
Myth #4 – SSL Certificates are Expensive
If you shop around you can find SSL certificates for about $ 10 a year or roughly the same cost as the registration of a .com domain for a year.
Myth #5 – HTTPS Never Caches
People often claim that HTTPS content is never cached by the browser; perhaps because that seems like a sensible idea in terms of security. In reality, HTTPS caching is controllable with response headers just like HTTP.