 |
 |
On Wed, Nov 6, 2013 at 8:49 PM, Ross Singer <[log in to unmask]> wrote: > I guess I just don't see why http and https can't coexist. > > They can definitely coexist, but there is a corresponding maintenance cost and a slightly higher risk profile (e.g. session hijacking is still possible in a variety of mixed http/https configurations). I noticed a a pretty good, if a bit dated, run-down of the tradeoffs for various secure setups in Drupal http://drupalscout.com/knowledge-base/drupal-and-ssl-multiple-recipes-possible-solutions-https. Even if the solutions have somewhat changed, it does get at the idea of what some of the tradeoffs are between security, usability and maintenance. Just today, I noticed a security alert (https://drupal.org/node/2129381) for the Drupal 6 Secure Pages module where theoretically secured pages and forms could be transmitted in the clear. This is the module you'd most likely use to achieve a mixed http/https site in Drupal. I have personally tended to just put everything behind https because of the added work/modules/maintenance associated to running it along side of http (in Drupal, specifically), but I am a lazy person with access to free certs and ferncer servers. HTH -- Chad Fennell Web Developer University of Minnesota Libraries (612) 626-4186