James Treworgy wrote:
> Just set the root for HTTP and HTTPS to the same directory. A surprising
> number of web sites operate this way anyway. Since the code calls
> whatever.html via https://... it will be loaded securely. If someone
> happened to go out of their way to change the URL to http:// then it would
> load it insecurely, but that's their problem. And if someone likewise goes
> out of their way to load other pages in your site securely, more power to them.
I'm sure such sloppiness abounds in the real world but I have to say I
find all this a bit rich.
Let us remember why we are putting in SSL in the first place: It is so
that a client can assuredly send us information without it falling into
the wrong hands. Clients don't need a degree in computer science to surf
the web and most of them would think they were on a secure site if the
words "SECURE SITE" appeared along the top of the page - they wouldn't
notice their padlock hadn't closed or that the URL hadn't changed to
"https". It's not really fair to call it "their problem".
If you are running an internet shop, you have a *responsibility* to
ensure that sensitive information such as credit card details are
protected. If you allow people to send you such information through an
insecure channel you may be exposing yourself to a liability if the data
gets snooped. You must also take other precautions on the server side
such as purging credit-cards from the logfiles and encrypting
transaction records.
If you are serious about protecting transfers then you should only
accept those transfers which you know to be secure. That means
implementing SSL properly and separating secure and insecure content.
And don't throw litter on the pavement either....
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
