In the previous post I showed how to enable HSTS so that all HTTP traffic to a website is secured. As cool as that is, the unfortunate reality is that it is not always possible to secure all HTTP traffic for a website especially when dealing with some legacy technology.
HTTP Strict Transport Security or HSTS is a header that instructs a browser not to downgrade a secure https connection to a unsecure HTTP connection for a specified domain.
There is a vulnerability in SSL3 called POODLE, it is documented in detail here by Google. SSL2 & 3 needs to be disabled in the client browser and on the web server. Below is a registry file that can be copied and run on a Microsoft IIS web servers to disable SSL 2 & 3… Read More »
It is important to realize that although a website might be running under HTTPS it does not guarantee that the session information is not accessible from normal HTTP requests. When a session cookie is generated it is important to make sure that the cookie can only be transmitted over a secure HTTP connection (HTTPS).