[Sussex] Switching from HTTP to HTTPS

Nico Kadel-Garcia nkadel at gmail.com
Wed Jan 24 01:14:58 UTC 2007


Andy Smith wrote:
> On Tue, Jan 23, 2007 at 07:33:54PM +0000, Colin Tuckley wrote:
>   
>> Brendan Whelan wrote:
>>     
>>> Thank you all for the quick responses and useful information.
>>> I will have a chat with the client tomorrow and see what they want to do. 
>>>       
>> Going to https is probably overkill, why not just password protect that
>> (sub)directory on the site?
>>     
>
> Without https the password will generally be going over plain text
> (barring some of the more unusual auth methods which frankly are more
> trouble than just using https).
>
> If there is any sensitive data in there then that's not good either.
>
> The site is probably not insecure now, going via https with some
> "nonsecure elements", it's most likely just the browser being
> paranoid.  But it's good to get these things fixed as users don't
> like surprises.
>
> Cheers,
> Andy
And it's tough for a user to decode what is safe or not, what is HTTP 
vs. HTTPS, if they aren't experts. It's much simpler to give them pure 
HTTPS and let them not worry about it, unless the CPU burden of the 
HTTPS is so large that it will overburden your server.

That sort of thing is a compelling reason to design your site well: to 
keep the secure stuff in one area, and the general material, espeically 
streaming or other bulky data, in another area that can be accessed 
without HTTPs.




More information about the Sussex mailing list