RE: Some question about modssl
Of course, only Exploder users get this :-P >-Original Message- >From: James Treworgy [mailto:[EMAIL PROTECTED]] >Sent: Monday, November 06, 2000 2:01 PM >To: [EMAIL PROTECTED] >Subject: Re: Some question about modssl > > >I would absolutely *not* do this, unless you want your web >site users to >see a message from the web browser saying "this page has both >secure and >insecure information. Do you want to proceed?" every time they >user your >site. This does not instill confidence. > >-- Jamie > >At 06:03 AM 11/6/00, Owen Boyle wrote: >>Note that SSL is quite heavy on the system (all that encryption and >>decryption) so you might like to send some content (such as logo GIFs) >>by plain HTTP. To do this you can either refer to them >explicitly, e.g. >> >> > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
> James Treworgy wrote: > I would absolutely *not* do this, [mix SSL and non-SSL content] > unless you want your web site users to see a message from the web > browser saying "this page has both secure and insecure information. > Do you want to proceed?" every time they user your site. > This does not instill confidence. --- Owen Boyle <[EMAIL PROTECTED]> wrote: > Good point Jamie. However, for some users this may be necessary, > there is nothing in the protocol against doing this, the browser > warnings are browser-dependent (Netscape doesn't give a peep) Which NetScape? I could swear I got this message from my Navigator a few times when I was first setting up our site, and hadn't cleared up the messes Our intranet site uses a modperl PerlPostReadRequest handler to reroute requests that *should* have been on the secure protocol, but doesn't bother with .jpg's or .gif's or certain directories or pages that are generally OK. That regularly means pages with mixed content, but the user never gets those messages. On the other hand, we're a small enough site (an intranet) that we can afford the extra performance hit of all the 302's for correcting the protocol on restricted pages. On any high volume site, you'd want to handle it differently, but I think I've seen some posts where someone suggested mod_rewrite as an option. Paul __ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one Place. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
True, there's nothing in protocol against it, and users can switch it off, but if you're trying to sell something over the internet (which is the reason a lot of poeple use SSL) then you really need to cater to the least common denominator. Trying to explain frightening messages to the 60% or whatever of your users who use Internet Explorer is not a good way to go about that. You shouldn't rely on users to "know" how to use SSL, since the technology is far beyond most of their comprehensions. You should do everything possible to ensure that the fewest number of people possible are presented with any difficult or confusing questions, and "this site contains both secure and insecure objects. do you want to proceed?" is *defintely* a confusing question to the average user. It will absolutely cause an e-businessperson to lose customers and there's no good reason to purposely implement a site this way. Jamie At 03:13 AM 11/7/00, Owen Boyle wrote: > > I would absolutely *not* do this, [mix SSL and non-SSL content] unless > you want your web site users to > > see a message from the web browser saying "this page has both secure and > > insecure information. Do you want to proceed?" every time they user your > > site. This does not instill confidence. > >Good point Jamie. However, for some users this may be necessary, there >is nothing in the protocol against doing this, the browser warnings are >browser-dependent (Netscape doesn't give a peep) and can be switched >off. Users have to choose for themselves how they want to use SSL. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
James Treworgy wrote: > > I would absolutely *not* do this, [mix SSL and non-SSL content] unless you want your >web site users to > see a message from the web browser saying "this page has both secure and > insecure information. Do you want to proceed?" every time they user your > site. This does not instill confidence. Good point Jamie. However, for some users this may be necessary, there is nothing in the protocol against doing this, the browser warnings are browser-dependent (Netscape doesn't give a peep) and can be switched off. Users have to choose for themselves how they want to use SSL. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
I would absolutely *not* do this, unless you want your web site users to see a message from the web browser saying "this page has both secure and insecure information. Do you want to proceed?" every time they user your site. This does not instill confidence. -- Jamie At 06:03 AM 11/6/00, Owen Boyle wrote: >Note that SSL is quite heavy on the system (all that encryption and >decryption) so you might like to send some content (such as logo GIFs) >by plain HTTP. To do this you can either refer to them explicitly, e.g. > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
Regarding Keuth Stropus's general questions about SSL > Is it legal? You live in the Land of the Free, so everything is allowed unless it's forbidden. Check with the Feds or whoever if you're really worried, but since every man and his dog has an SSL-enabled site these days, I wouldn't lose any sleep over it. > Do I have to use https:// for my whole site? To quote from "Apache: the definitive guide", by Laurie and Laurie (published by O'Reilly): "It's rather bizarre that the *client* is expected to know in advance that it is going to meet an SSL server and has to log on securely, but that's the way the web is." They go on to explain that the usual way to do things is to have a link on a normal HTTP page which says: "Go to our secure site" and this link includes the "https" so that the user never has to type it in. Thereafter you have to have https in the URI to ensure SSL communications. Note that SSL is quite heavy on the system (all that encryption and decryption) so you might like to send some content (such as logo GIFs) by plain HTTP. To do this you can either refer to them explicitly, e.g. or use mod_rewrite to rewrite the URLs. See a previous thread on this topic: http://www.mail-archive.com/modssl-users%40modssl.org/msg08015.html Best regards, owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]