[Techtalk] implementing HTTPS-only sitewide

adric at adric.net adric at adric.net
Mon Sep 10 20:25:16 UTC 2012

On 09/05/2012 08:47 PM, chris wrote:
To redirect the entire site, you could use a
redirect   Redirect permanent /
https://subdomain.domain.com/  However, SSL can be slow
so I wouldn't run an entire site over SSL unless it was
necessary or had low traffic.  [snip ap[ache configs]
hope that helps

This is a good idea for performance and sanity but there are
security concerns to having HTTP and HTTPS content on the
same site.  Last year's BEAST attack tool takes
advantage of that, for instance, and there are some
cross-site scripting, session stealing, and other
malfeasance made easier by having secure and insecure
content both.

Security experts have been urging the big site providers to go
all-SSL for some time and they are reluctantly following this advice
after the hullabaloo over Firesheep. Google has been big on
pushing ahead with this.

BEAST: http://vnhacker.blogspot.com/2011/09/beast.html (links about
  BEAST abound, no ref to HTTP usage in any..)
Firesheep: http://codebutler.com/firesheep?c=1 (home page)
Google blog:


More information about the Techtalk mailing list