Don’t be lazy when configuring security certificates

Monday, 17 November 2008

If you’re going to offer a secure protocol to your users, don’t do what CSA Australia did, as I indicated in an earlier post.

Don’t configure your SSL certificate for your “www” subdomain and then just assume that your users will get to your website by typing in the “www” and that the webserver will automatically take care of the rest.

It won’t.

If your webserver is configured to automatically redirect to your “www” subdomain when the user hasn’t used specified the silly “dubya-dubya-dubya” prefix from your website address, then you must also change all your links to secure forms to explicitly use “https://www.”, instead of “https://” as the prefix for those links.

Posted in Programming, Security, Usability, Web by Ivan

Some basic rules for commenting:

Watch your language.
Please keep your comments relevant and on-topic.
You can use basic XHTML tags for formatting and linking but not bbcode.
Comments are moderated, so please don't double post if your comment doesn't appear immediately.
Your comments may be blocked or marked as spam if they appear intended for SEO purposes.
Please proof-read your comments for spelling and grammatical errors.
Watch your language.

« Dumb dialogues from Intel

Multiple versions of IE »

Don’t be lazy when configuring security certificates

Got something to say?