OK! Uncle! Just let's do something! I don't care *that* much about it!
-Ross.
On Nov 6, 2013 11:34 PM, "Chad Fennell" <[log in to unmask]> wrote:
> On Wed, Nov 6, 2013 at 8:49 PM, Ross Singer <[log in to unmask]> wrote:
>
> > I guess I just don't see why http and https can't coexist.
> >
> >
> They can definitely coexist, but there is a corresponding maintenance cost
> and a slightly higher risk profile (e.g. session hijacking is still
> possible in a variety of mixed http/https configurations). I noticed a a
> pretty good, if a bit dated, run-down of the tradeoffs for various secure
> setups in Drupal
>
> http://drupalscout.com/knowledge-base/drupal-and-ssl-multiple-recipes-possible-solutions-https
> .
> Even if the solutions have somewhat changed, it does get at the idea of
> what some of the tradeoffs are between security, usability and maintenance.
>
> Just today, I noticed a security alert (https://drupal.org/node/2129381)
> for the Drupal 6 Secure Pages module where theoretically secured pages and
> forms could be transmitted in the clear. This is the module you'd most
> likely use to achieve a mixed http/https site in Drupal.
>
> I have personally tended to just put everything behind https because of the
> added work/modules/maintenance associated to running it along side of http
> (in Drupal, specifically), but I am a lazy person with access to free certs
> and ferncer servers.
>
> HTH
> --
> Chad Fennell
> Web Developer
> University of Minnesota Libraries
> (612) 626-4186
>
|