>-----Original Message----- >From: Henrik Bentel [mailto:[EMAIL PROTECTED] > >I have a web app which serves both static and non static content, both >secure and unsecure(https and http). >Now, all my ssl configuration is under my secure virtual host, >such that it applies to everything. However, I have quite a bit static >content(images, css, javascript.,...) which doesn't need to be very secure. I >somewhat only want to secure my dynamic content.
To add to Cliff's comment about browsers complaining about the mix of secure an insecure content there is a genuine security reason for *not* doing what you propose. Put yourself in the position of a crook who has gained access to the datastream flowing into your SSL server. As you are probably aware, all encryption ciphers can be cracked by a brute force attack (making repeated attempts at guesssing the key). Hopefully, the time-to-crack will be "long", but you don't know how fast the crook's computer is. If he works for the NSA, it might be very fast indeed. If you serve all content via SSL, he has no idea which packets are important and which are just images etc. so he has to crack everything. If you decide to save a teeny bit of processing on the server by encrypting only the important things, he then sees lots of "en clair" packets (containing image data etc.) which he can safely ignore and only a few occasional nuggets of encrypted data which he can be sure are worth cracking. Thus he can focus his efforts on these. Therefore, you make life easy for the cracker by highlighting the packets that are worth cracking! In other words, the best place to hide a leaf is in the forest. You shouldn't need to worry about the processing load of the SSL encryption. If it is slowing your server, then, frankly, your server is not powerful enough to serve the traffic you have - get more memory, upgrade the chipset, do whatever is necessary to get up to speed. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. >But, I don't want to generate absolute URLs on the fly to link to >non-secure static content. What I want is to make request to >certain urls >"less secure" such that processing is faster. For example, I have a >directory called art, which is just a defined alias for a >directory. Is >there a way to make ssl processing for this directory less >restrictive than >for the "generic requests" to the virtual host so that >processing is faster? > >Home someone can help > >Henrik Bentel > >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière de la SWX Swiss Exchange. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
