Am 26.09.2007 um 16:58 schrieb [EMAIL PROTECTED]: > I would like to use https for my entire dspace website.
You probably have to tweak your server.xml in case your run tomcat standalone or the httpd.conf if you use it in con- junction with apache. Probably redirecting all requests to your domain to https:// BUT: Have you estimated the load this will put on your server and on the client too, e.g. if you encrypt every bitstream on the fly? Caching is no option with encryp- tion. I think there is a reason why only pages for logged in users are usually transferred by https. Even for them, there is not much use in encrypting each and every page because in most cases the information provided will be online some minutes later. The only pages where it makes great sense are login pages to protect passwords. Then, there might be scenarios where an attacker could over- take a session or a cookie of a logged in user. This is why encrypting every page for logged in users is a reasonable simple approach because the count of pages to be encrypted stays relatively low that way. Every freemail provider avoids encrypting common pages for webmail and usually they even encrypt login pages upon request. And the data transferred during a webmail session is certainly more sensitive. The only app I have not yet seen without encryption is online banking. And they have enough money and there risk is high enough to make this a reasonable choice. There are special PCI encrption cards available for such a purpose. Dont expect them to be cheap. Bye, Christian ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
