On Wed, Nov 6, 2013 at 8:49 PM, Ross Singer <[log in to unmask]> wrote:
> I guess I just don't see why http and https can't coexist.
They can definitely coexist, but there is a corresponding maintenance cost
and a slightly higher risk profile (e.g. session hijacking is still
possible in a variety of mixed http/https configurations). I noticed a a
pretty good, if a bit dated, run-down of the tradeoffs for various secure
setups in Drupal
Even if the solutions have somewhat changed, it does get at the idea of
what some of the tradeoffs are between security, usability and maintenance.
Just today, I noticed a security alert (https://drupal.org/node/2129381)
for the Drupal 6 Secure Pages module where theoretically secured pages and
forms could be transmitted in the clear. This is the module you'd most
likely use to achieve a mixed http/https site in Drupal.
I have personally tended to just put everything behind https because of the
added work/modules/maintenance associated to running it along side of http
(in Drupal, specifically), but I am a lazy person with access to free certs
and ferncer servers.
University of Minnesota Libraries