• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 331
  • Last Modified:

SSL Necessity

Hi experts,

I know that for some secure transaction, we should use SSL to secure it. I have few questions.

1. How secure the SSL is? Is it hardly hacked?
2. Normally, for each website, SSL (https) only be used in certain page where security is dealt. Why? Is SSL slowing performance? Why don't they simply encrypt the whole website using SSL?
3. In my J2EE web app, how do I switch between https and http. I have both port opened in my Tomcat.

Thanks.

Regards
Dave
0
suprapto45
Asked:
suprapto45
  • 3
  • 3
1 Solution
 
bloodredsunCommented:
>>1. How secure the SSL is? Is it hardly hacked?
Very (especially the full strength version). Unless you are the NSA, you probably won't have the computing power to hack an SSL encrypted transmission. It's fairly standard in e-commerce and banking to use this as your level of encryption. SSL certs can being of differing strengths so it's important to use the full 128 bit type.

>>2. Normally, for each website, SSL (https) only be used in certain page where security is dealt. Why? Is SSL slowing performance? Why don't they simply encrypt the whole website using SSL?
Yes, SSL takes a little more processing time than non-SSL so it's normally just for reasons of efficiency.

>>3. In my J2EE web app, how do I switch between https and http. I have both port opened in my Tomcat.
Normally SSL is implemented on an Apache front-end which is connected to Tomcat via mod_jk so I have no experience in installing SSL on Tomcat, but here is the link to the official how-to http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html.
Switching is normally just a matter of the either the user being forwarded to an HTTPS link when they login or them clicking on an HTTPS link.
0
 
suprapto45Author Commented:
Hi bloodredsun,

How r u?

Well, I have following questions.

>>" It's fairly standard in e-commerce and banking "
Are banking and big companies normally using Thawte and Verisign SSL? Or do they create their own?

>>"Switching is normally just a matter of the either the user being forwarded"
I have installed SSL in my Tomcat and runs well. However, as you know that sometimes in our Servlet, we just redirect the page not by typing in the full path. For example, res.sendRedirect("/Global/jsp/login/loginagain.jsp");
How do I specify that the loginagain.jsp is https and not http.

Thx anyway :).

Regards
Dave
0
 
bloodredsunCommented:
>>How r u?
Good thanks Dave, hope you're well too :-)

>>Are banking and big companies normally using Thawte and Verisign SSL? Or do they create their own?
We use Thawte or Verisign or another one of the big boys of the "Certificate Authority" (CA). I'd only ever use a self-signed one for development work because on a production site, the user would be constantly asked "Will you accept this cert". This is because the browser only immediately trusts certs from a recognised CA (such as  Thawte, GeoTrust or Verisign).

>>How do I specify that the loginagain.jsp is https and not http.
The best way would be to use a full link, but create the full link programmatically, e.g.
 res.sendRedirect("https://" +request.getServerName()+":" +request.getServerPort()+ "/Global/jsp/login/loginagain.jsp");

Else, in your loginagain.jsp do a check for https as the protocol...
if ( !"https".equals( request.getScheme() ) ){
//redirect to https version as it's currently http
}
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
suprapto45Author Commented:
Hi,

Thx bloodredsun. Things get clearer and better for me :).

Regards
Dave
0
 
suprapto45Author Commented:
Hi,

if you don't mind, I have one question....

request.getServerPort(). Which port is obtained? SSL port (443) or just normal Tomcat home (80). Anyway, I do not need to specify port since it is 443 and 80 respectively.

Regards
Dave
0
 
bloodredsunCommented:
request.getServerPort() gives you which ever port was used in the current request, so actually this is redundant for you and you don't need it.

Cheers Dave,
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now