Https security question

Posted on 2006-05-15
Medium Priority
Last Modified: 2012-05-05
Hi all

I have run two separate scans on my web server,  recommended that the all weak ciphers need to be disabled , i.e.,  a user now can connect using low 56 bit encryption browsers rather than the 128 bit required.
The other scanner  suggested we use https instead of http, https provides 128 bit encryption. Currently users connect using http to get to the main website, then when customers logon to the secure sites, they are directed to https pages.

Both scanners found the same issue, my question is should users be able to connect at 56  bit to the home page or should we change to https on the home page.

I am offering 250 points.

Question by:shp44
LVL 14

Expert Comment

ID: 16685135
I'm not sure where the problem lies, but my reading of your question doesn't make sense.

HTTP (without the /S) does not do encryption at all.

HTTP/S can do a variety of types of encryption using a variety of protocols.

56-bit encryption is considered weak, so if you do encyrption at all, it really should be 128 bit.
Also, SSLv2 is considered weak, so you should be doing SSLv3 and TLS only.

Whether you need encryption on the main page efore customers login depends on what they can get to without logging in and what the implications are.

For example, if this is a site with health information, there is a certain line of thinking that the fact that they browsed the section of the site on a particular desease or treatment is itself a piece of confidential health information about that person.

However, that they browsed what types of coffee are available at a store is not quite so confidential.
LVL 81

Accepted Solution

arnold earned 750 total points
ID: 16687627
What application did you run to get the security evaluation?  The encryption of the session is negotiated between the browser and the server.  You of course, can configure your web server to require 128 bit or higher encryption. You need to determine whether all your users have 128Bit or higher encryption capable browsers.
One way is to do it transparantly to the user by adding code to your page that logs the encryption level. The other way is restrict access to 128bit only and see if anyone calls in.

Encryption adds overhead to the server and the client. You need to decide whether a particular set of information should or need to be encrypted?  Only you can answer whether your whole site needs to be encrypted and if not which parts need to be encrypted.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Experts Exchange expands question security options for members.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question