Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to make the entire site run on HTTPS versus just one page. In fact, it seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel
Hi,
Yes you can do this with the securepages module. http://drupal.org/project/securepages
This will help you set up which pages are to displayed via SSL and which pages are not to be.
You still need to set up SSL so you can browse the site via https, and then you just use secure pages to do the switching.
Gordon.
On 23/10/2008, at 7:07 AM, Daniel Carrera wrote:
Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to make the entire site run on HTTPS versus just one page. In fact, it seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel -- [ Drupal support list | http://lists.drupal.org/ ]
Naw we do this (Aside from the obvious performance issues about decripting data for large numbers of hits). There's a securepages module out there to force redirects on certain pages if your interested in making sur ethat just the login informatioin or user information happens over https.
http://drupal.org/project/securepages
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Wednesday, October 22, 2008 1:07 PM To: support@drupal.org Subject: [support] Drupal on HTTPS
Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to make the entire site run on HTTPS versus just one page. In fact, it seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel -- [ Drupal support list | http://lists.drupal.org/ ]
Thanks.
You mention performance issues. How bad is it? I spent several hours Googling and I found two papers. One that claims that the delay due to HTTPS is minimal and another that claims that the delay is significant. :-(
Metzler, David wrote:
Naw we do this (Aside from the obvious performance issues about decripting data for large numbers of hits). There's a securepages module out there to force redirects on certain pages if your interested in making sur ethat just the login informatioin or user information happens over https.
http://drupal.org/project/securepages
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Wednesday, October 22, 2008 1:07 PM To: support@drupal.org Subject: [support] Drupal on HTTPS
Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to make the entire site run on HTTPS versus just one page. In fact, it seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel -- [ Drupal support list | http://lists.drupal.org/ ]
It depends on many factors. The primary performance concern is encrypt/decrypt of the data and its impact on cpu. Image files, large pdf documents, etc when encrypted can cause CPU performance impact. If your browsers cache much of this content it's not a huge load, but of course you need to think about how many concurrent hits you're likely to get on your site.
Also understand that this means that the clients need to decrypt the data. So again if you're sending say a big .wav file to grandmas 6 year old computer that is loaded with AV software and that old clunker has to decrypt the content and then scan it for viruses, well grandma may decide not to watch that movie after all.
I guess what I'm saying is that if you're doing regular text, with small numbers of images and you don't expect an insane amount of hits, and you're not shared hosting, and you're server is reasonably current as far as CPU is concerned, you probably aren't going to notice too much.
But if your target audience has old clunkers, or you are planning on putting up heavy content, or you aren't blessed with an abundance of CPU, then it's probably worth your while to set up securepages, and make sure your site can respond to https and http. Frankly that last step I'd do anyway so you can advertise example.com without users having to remember to type https.
Either way you can pretty much look at CPU load to determine whether this is an issue for you.
Good luck,
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Thursday, October 23, 2008 1:48 AM To: support@drupal.org Subject: Re: [support] Drupal on HTTPS
Thanks.
You mention performance issues. How bad is it? I spent several hours Googling and I found two papers. One that claims that the delay due to HTTPS is minimal and another that claims that the delay is significant. :-(
Metzler, David wrote:
Naw we do this (Aside from the obvious performance issues about decripting data for large numbers of hits). There's a securepages module out there to force redirects on certain pages if your interested in making sur ethat just the login informatioin or user information happens over https.
http://drupal.org/project/securepages
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Wednesday, October 22, 2008 1:07 PM To: support@drupal.org Subject: [support] Drupal on HTTPS
Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to
make the entire site run on HTTPS versus just one page. In fact, it
seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel -- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
Thanks. I guess I might need to benchmark during a high period and see.
The website generally doesn't get a lot of hits, and we don't serve very large files. It's mostly text. But we might see more traffic on the last week of school.
Metzler, David wrote:
It depends on many factors. The primary performance concern is encrypt/decrypt of the data and its impact on cpu. Image files, large pdf documents, etc when encrypted can cause CPU performance impact. If your browsers cache much of this content it's not a huge load, but of course you need to think about how many concurrent hits you're likely to get on your site.
Also understand that this means that the clients need to decrypt the data. So again if you're sending say a big .wav file to grandmas 6 year old computer that is loaded with AV software and that old clunker has to decrypt the content and then scan it for viruses, well grandma may decide not to watch that movie after all.
I guess what I'm saying is that if you're doing regular text, with small numbers of images and you don't expect an insane amount of hits, and you're not shared hosting, and you're server is reasonably current as far as CPU is concerned, you probably aren't going to notice too much.
But if your target audience has old clunkers, or you are planning on putting up heavy content, or you aren't blessed with an abundance of CPU, then it's probably worth your while to set up securepages, and make sure your site can respond to https and http. Frankly that last step I'd do anyway so you can advertise example.com without users having to remember to type https.
Either way you can pretty much look at CPU load to determine whether this is an issue for you.
Good luck,
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Thursday, October 23, 2008 1:48 AM To: support@drupal.org Subject: Re: [support] Drupal on HTTPS
Thanks.
You mention performance issues. How bad is it? I spent several hours Googling and I found two papers. One that claims that the delay due to HTTPS is minimal and another that claims that the delay is significant. :-(
Metzler, David wrote:
Naw we do this (Aside from the obvious performance issues about decripting data for large numbers of hits). There's a securepages module out there to force redirects on certain pages if your interested in making sur ethat just the login informatioin or user information happens over https.
http://drupal.org/project/securepages
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Wednesday, October 22, 2008 1:07 PM To: support@drupal.org Subject: [support] Drupal on HTTPS
Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to
make the entire site run on HTTPS versus just one page. In fact, it
seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel -- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
Hi,
it is not so much the additional load on your server to encrypt all the pages, but it is the flow on effect which is where the load gets bigger.
Mainly the SSL break proxy servers who can only pass thru pages and other artifacts without being able to cache anything. This means that you will use more bandwidth, and loading of pages for the most part will not be as snappy as users will always be getting stuff from your server and not something closer.
Gordon.
On 24/10/2008, at 7:10 AM, Daniel Carrera wrote:
Thanks. I guess I might need to benchmark during a high period and see.
The website generally doesn't get a lot of hits, and we don't serve very large files. It's mostly text. But we might see more traffic on the last week of school.
Metzler, David wrote:
It depends on many factors. The primary performance concern is encrypt/decrypt of the data and its impact on cpu. Image files, large pdf documents, etc when encrypted can cause CPU performance impact. If your browsers cache much of this content it's not a huge load, but of course you need to think about how many concurrent hits you're likely to get on your site.
Also understand that this means that the clients need to decrypt the data. So again if you're sending say a big .wav file to grandmas 6 year old computer that is loaded with AV software and that old clunker has to decrypt the content and then scan it for viruses, well grandma may decide not to watch that movie after all.
I guess what I'm saying is that if you're doing regular text, with small numbers of images and you don't expect an insane amount of hits, and you're not shared hosting, and you're server is reasonably current as far as CPU is concerned, you probably aren't going to notice too much.
But if your target audience has old clunkers, or you are planning on putting up heavy content, or you aren't blessed with an abundance of CPU, then it's probably worth your while to set up securepages, and make sure your site can respond to https and http. Frankly that last step I'd do anyway so you can advertise example.com without users having to remember to type https.
Either way you can pretty much look at CPU load to determine whether this is an issue for you.
Good luck,
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support- bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Thursday, October 23, 2008 1:48 AM To: support@drupal.org Subject: Re: [support] Drupal on HTTPS
Thanks.
You mention performance issues. How bad is it? I spent several hours Googling and I found two papers. One that claims that the delay due to HTTPS is minimal and another that claims that the delay is significant. :-(
Metzler, David wrote:
Naw we do this (Aside from the obvious performance issues about decripting data for large numbers of hits). There's a securepages module out there to force redirects on certain pages if your interested in making sur ethat just the login informatioin or user information happens over https.
http://drupal.org/project/securepages
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Wednesday, October 22, 2008 1:07 PM To: support@drupal.org Subject: [support] Drupal on HTTPS
Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to
make the entire site run on HTTPS versus just one page. In fact, it
seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel -- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
Personally I wouldn't consider the HTTP + HTTPS (just for some pages) approach 100% secure. There are some security attacks which are still possible with this solution.
If you are playing with a site where security is a key factor I would consider running everything on HTTPS, redirecting HTTP requests to HTTPS.
Moreover I would actively advise users to always check the secure lock to appears on their browsers.
Just my 2 cents.
Fabio Varesano
Metzler, David wrote:
Naw we do this (Aside from the obvious performance issues about decripting data for large numbers of hits). There's a securepages module out there to force redirects on certain pages if your interested in making sur ethat just the login informatioin or user information happens over https.
http://drupal.org/project/securepages
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Daniel Carrera Sent: Wednesday, October 22, 2008 1:07 PM To: support@drupal.org Subject: [support] Drupal on HTTPS
Hello,
Is there any harm in serving Drupal over HTTPS instead of HTTP?
I want the Drupal login to be on HTTPS because I just don't like sending passwords in plain text. But with Apache it is no more work to make the entire site run on HTTPS versus just one page. In fact, it seems easier.
So, I was wondering, is there any good reason not to serve a Drupal site over HTTPS? It seems a bit odd, but I figure, if I already have an SSL certificate, I figure, what's the harm?
Thanks. Daniel -- [ Drupal support list | http://lists.drupal.org/ ]
-
Daniel Carrera -
Fabio Varesano -
Gordon Heydon -
Metzler, David