OK! Uncle! Just let's do something! I don't care *that* much about it! -Ross. On Nov 6, 2013 11:34 PM, "Chad Fennell" <[log in to unmask]> wrote: > On Wed, Nov 6, 2013 at 8:49 PM, Ross Singer <[log in to unmask]> wrote: > > > I guess I just don't see why http and https can't coexist. > > > > > They can definitely coexist, but there is a corresponding maintenance cost > and a slightly higher risk profile (e.g. session hijacking is still > possible in a variety of mixed http/https configurations). I noticed a a > pretty good, if a bit dated, run-down of the tradeoffs for various secure > setups in Drupal > > http://drupalscout.com/knowledge-base/drupal-and-ssl-multiple-recipes-possible-solutions-https > . > Even if the solutions have somewhat changed, it does get at the idea of > what some of the tradeoffs are between security, usability and maintenance. > > Just today, I noticed a security alert (https://drupal.org/node/2129381) > for the Drupal 6 Secure Pages module where theoretically secured pages and > forms could be transmitted in the clear. This is the module you'd most > likely use to achieve a mixed http/https site in Drupal. > > I have personally tended to just put everything behind https because of the > added work/modules/maintenance associated to running it along side of http > (in Drupal, specifically), but I am a lazy person with access to free certs > and ferncer servers. > > HTH > -- > Chad Fennell > Web Developer > University of Minnesota Libraries > (612) 626-4186 >