[support] Drupal on HTTPS

Metzler, David metzlerd at evergreen.edu
Thu Oct 23 16:27:35 UTC 2008 

It depends on many factors. The primary performance concern is
encrypt/decrypt of the data and its impact on cpu.  Image files, large
pdf documents, etc when encrypted can cause CPU performance impact.   If
your browsers cache much of this content it's not a huge load, but of
course you need to think about how many concurrent hits you're likely to
get on your site. 

Also understand that this means that the clients need to decrypt the
data. So again if you're sending say a big .wav file to grandmas 6 year
old computer that is loaded with AV software and that old clunker has to
decrypt the content and then scan it for viruses, well grandma may
decide not to watch that movie after all. 

I guess what I'm saying is that if you're doing regular text, with small
numbers of images and you don't expect an insane amount of hits, and
you're not shared hosting, and you're server is reasonably current as
far as CPU is concerned, you probably aren't going to notice too much. 

But if your target audience has old clunkers, or you are planning on
putting up heavy content, or you aren't blessed with an abundance of
CPU, then it's probably worth your while to set up securepages, and make
sure your site can respond to https and http.  Frankly that last step
I'd do anyway so you can advertise example.com without users having to
remember to type https. 

Either way you can pretty much look at CPU load to determine whether
this is an issue for you. 

Good luck, 

Dave
 


-----Original Message-----
From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On
Behalf Of Daniel Carrera
Sent: Thursday, October 23, 2008 1:48 AM
To: support at drupal.org
Subject: Re: [support] Drupal on HTTPS

Thanks.

You mention performance issues. How bad is it? I spent several hours
Googling and I found two papers. One that claims that the delay due to
HTTPS is minimal and another that claims that the delay is significant.
:-(

Metzler, David wrote:
> Naw we do this (Aside from the obvious performance issues about 
> decripting data for large numbers of hits).  There's a securepages 
> module out there to force redirects on certain pages if your 
> interested in making sur ethat just the login informatioin or user 
> information happens over https.
> 
> http://drupal.org/project/securepages
> 
> Dave
> 
> -----Original Message-----
> From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] 
> On Behalf Of Daniel Carrera
> Sent: Wednesday, October 22, 2008 1:07 PM
> To: support at drupal.org
> Subject: [support] Drupal on HTTPS
> 
> Hello,
> 
> Is there any harm in serving Drupal over HTTPS instead of HTTP?
> 
> I want the Drupal login to be on HTTPS because I just don't like 
> sending passwords in plain text. But with Apache it is no more work to

> make the entire site run on HTTPS versus just one page. In fact, it
seems easier.
> 
> So, I was wondering, is there any good reason not to serve a Drupal 
> site over HTTPS? It seems a bit odd, but I figure, if I already have 
> an SSL certificate, I figure, what's the harm?
> 
> Thanks.
> Daniel
> --
> [ Drupal support list | http://lists.drupal.org/ ]

--
[ Drupal support list | http://lists.drupal.org/ ]

More information about the support mailing list