Personally I wouldn't consider the HTTP + HTTPS (just for some pages) approach 100% secure. There are some security attacks which are still possible with this solution.
If you are playing with a site where security is a key factor I would consider running everything on HTTPS, redirecting HTTP requests to HTTPS.
Moreover I would actively advise users to always check the secure lock to appears on their browsers.
Just my 2 cents.
Fabio Varesano
Metzler, David wrote:
Naw we do this (Aside from the obvious performance issues about decripting data for large numbers of hits). There's a securepages module out there to force redirects on certain pages if your interested in making sur ethat just the login informatioin or user information happens over https.
http://drupal.org/project/securepages
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Wednesday, October 22, 2008 1:07 PM To: support@drupal.org Subject: [support] Drupal on HTTPS
Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to make the entire site run on HTTPS versus just one page. In fact, it seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel -- [ Drupal support list | http://lists.drupal.org/ ]