[Techtalk] implementing HTTPS-only sitewide
adric at adric.net
adric at adric.net
Mon Sep 10 20:25:16 UTC 2012
On 09/05/2012 08:47 PM, chris wrote:
Hi,
To redirect the entire site, you could use a
redirect Redirect permanent /
https://subdomain.domain.com/ However, SSL can be slow
so I wouldn't run an entire site over SSL unless it was
necessary or had low traffic. [snip ap[ache configs]
hope that helps
chris
This is a good idea for performance and sanity but there are
security concerns to having HTTP and HTTPS content on the
same site. Last year's BEAST attack tool takes
advantage of that, for instance, and there are some
cross-site scripting, session stealing, and other
malfeasance made easier by having secure and insecure
content both.
Security experts have been urging the big site providers to go
all-SSL for some time and they are reluctantly following this advice
after the hullabaloo over Firesheep. Google has been big on
pushing ahead with this.
BEAST: http://vnhacker.blogspot.com/2011/09/beast.html (links about
BEAST abound, no ref to HTTP usage in any..)
Firesheep: http://codebutler.com/firesheep?c=1 (home page)
Google blog:
http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html
hth,
adric
More information about the Techtalk
mailing list