On Wed, Nov 6, 2013 at 8:49 PM, Ross Singer <[log in to unmask]> wrote:
> I guess I just don't see why http and https can't coexist.
>
>
They can definitely coexist, but there is a corresponding maintenance cost
and a slightly higher risk profile (e.g. session hijacking is still
possible in a variety of mixed http/https configurations). I noticed a a
pretty good, if a bit dated, run-down of the tradeoffs for various secure
setups in Drupal
http://drupalscout.com/knowledge-base/drupal-and-ssl-multiple-recipes-possible-solutions-https.
Even if the solutions have somewhat changed, it does get at the idea of
what some of the tradeoffs are between security, usability and maintenance.
Just today, I noticed a security alert (https://drupal.org/node/2129381)
for the Drupal 6 Secure Pages module where theoretically secured pages and
forms could be transmitted in the clear. This is the module you'd most
likely use to achieve a mixed http/https site in Drupal.
I have personally tended to just put everything behind https because of the
added work/modules/maintenance associated to running it along side of http
(in Drupal, specifically), but I am a lazy person with access to free certs
and ferncer servers.
HTH
--
Chad Fennell
Web Developer
University of Minnesota Libraries
(612) 626-4186
|