Owen Boyle wrote:
>
> James Treworgy wrote:
> > Just set the root for HTTP and HTTPS to the same directory. A surprising
> > number of web sites operate this way anyway. Since the code calls
> > whatever.html via https://... it will be loaded securely. If someone
> > happened to go out of their way to change the URL to http:// then it would
> > load it insecurely, but that's their problem. And if someone likewise goes
> > out of their way to load other pages in your site securely, more power to them.
>
That's what it is. The shops have been setup in this way (not by me i
hasten to add). I don't think i'll go down the same route when moving
them. Loooks like a bit more work for me. :)
> I'm sure such sloppiness abounds in the real world but I have to say I
> find all this a bit rich.
>
> Let us remember why we are putting in SSL in the first place: It is so
> that a client can assuredly send us information without it falling into
> the wrong hands. Clients don't need a degree in computer science to surf
> the web and most of them would think they were on a secure site if the
> words "SECURE SITE" appeared along the top of the page - they wouldn't
> notice their padlock hadn't closed or that the URL hadn't changed to
> "https". It's not really fair to call it "their problem".
>
> If you are running an internet shop, you have a *responsibility* to
> ensure that sensitive information such as credit card details are
> protected. If you allow people to send you such information through an
> insecure channel you may be exposing yourself to a liability if the data
> gets snooped. You must also take other precautions on the server side
> such as purging credit-cards from the logfiles and encrypting
> transaction records.
>
> If you are serious about protecting transfers then you should only
> accept those transfers which you know to be secure. That means
> implementing SSL properly and separating secure and insecure content.
>
> And don't throw litter on the pavement either....
>
> Rgds,
> Owen Boyle.
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Nick Davies
Technical Director
Magnitude Ltd
www.magnitude.co.uk
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
