Https security question

Posted on 2006-05-15
Last Modified: 2012-05-05
Hi all

I have run two separate scans on my web server,  recommended that the all weak ciphers need to be disabled , i.e.,  a user now can connect using low 56 bit encryption browsers rather than the 128 bit required.
The other scanner  suggested we use https instead of http, https provides 128 bit encryption. Currently users connect using http to get to the main website, then when customers logon to the secure sites, they are directed to https pages.

Both scanners found the same issue, my question is should users be able to connect at 56  bit to the home page or should we change to https on the home page.

I am offering 250 points.

Question by:shp44
    LVL 14

    Expert Comment

    I'm not sure where the problem lies, but my reading of your question doesn't make sense.

    HTTP (without the /S) does not do encryption at all.

    HTTP/S can do a variety of types of encryption using a variety of protocols.

    56-bit encryption is considered weak, so if you do encyrption at all, it really should be 128 bit.
    Also, SSLv2 is considered weak, so you should be doing SSLv3 and TLS only.

    Whether you need encryption on the main page efore customers login depends on what they can get to without logging in and what the implications are.

    For example, if this is a site with health information, there is a certain line of thinking that the fact that they browsed the section of the site on a particular desease or treatment is itself a piece of confidential health information about that person.

    However, that they browsed what types of coffee are available at a store is not quite so confidential.
    LVL 76

    Accepted Solution

    What application did you run to get the security evaluation?  The encryption of the session is negotiated between the browser and the server.  You of course, can configure your web server to require 128 bit or higher encryption. You need to determine whether all your users have 128Bit or higher encryption capable browsers.
    One way is to do it transparantly to the user by adding code to your page that logs the encryption level. The other way is restrict access to 128bit only and see if anyone calls in.

    Encryption adds overhead to the server and the client. You need to decide whether a particular set of information should or need to be encrypted?  Only you can answer whether your whole site needs to be encrypted and if not which parts need to be encrypted.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now