httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] Re: HTTPS only for login page (when apache front tomcat)
Date Thu, 22 Apr 2010 13:28:03 GMT
On Thu, Apr 22, 2010 at 2:04 PM, Krist van Besien
<krist.vanbesien@gmail.com> wrote:
> There is in my opinion no good reason not to have https for the whole
> session. The "performance" argument doesn't really apply anymore in a
> time that you can buy several webservers for the cost of employing one
> webserver specialist for a day...
>
> Krist
>

Spoken like a true European (No offence, I'm one too :)

For many of the users of our (commercial) systems, if we forced SSL
on, then a good proportion of our customers would not renew next year.
SSL on is irrefutably a slower user experience than with it off;
common resources cannot be cached, apart from on the local machine
(and even then, many browsers won't). It vastly increases response
times, as each connection must be set-up and teared-down, with all
that lovely TLS forward and back.

For users geographically remote, or with other high latency internet
connections, or with old/slow computers, your website just became more
unpleasant to use. The more unpleasant to use your site is, the less
people use it. The less people use it, the less willing they will be
to pay for it.

In Europe (probably US now too) now we seem to assume a couple of things:
1) Any site we connect to will be less than 200ms away
2) We've got at least 2Mbit of bandwidth available
3) Any user will have a fast modern computer, with a big screen.

For a lot of the world, at least one of those things will be incorrect.

Using SSL to protect login prevents usernames and passwords passing in
clear text. There are other methods you can use to mitigate session
stealing.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message