We have exactly the same problem here with sites being both inside and outside. However, I'm happy to take the performance hit until I have to look at SSL acceleration cards. I need to get hold of one, however since my line manager doesn't understand the problem they are supposed to solve persuading him to allow me to obtain one is proving difficult. I wonder sometimes if he actually understands what I do all day... But I digress as ever. IMHO it would be useful to add data to the SSL stream that isn't strictly classified as it just makes it harder for anyone to obtain classified data even if they use brute force decryption. Whilst 40/56 bit browsers abound it's probably worthwhile. Of course, if speed is an issue I'd seriously look at SSL acceleration. At the very least get hold of a card and benchmark it (which is what I intend to do, one day soon). I've noticed a substantial drop in speed when IE is in use. Why Microsoft have been unable to implement SSL properly after having so much time is beyond me. I shudder to think what painful hacks are in place with IIS in order for IE and SSL to work. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -----Original Message----- From: Owen Boyle [mailto:[EMAIL PROTECTED]] Sent: 08 November 2000 08:46 To: [EMAIL PROTECTED] Subject: Mixing SSL and non-SSL content - request for comments I guess I started this debate so perhaps we can widen it my making it more general and hopefully come up with a general solution... The issue is the following: Suppose I have a site which receives and transmits sensitive user data. Obviously, I want to protect it with SSL. However, 90% of the content of the site is GIF which doesn't really need to be encrypted (logos, navigation-bars etc.) Now, if the whole DocumentRoot is under SSL, these rather large, GIF files will be laboriously encrypted and decrypted in the course of the transfer even though they contain unconfidential information (it's just the same GIF that's on my unsecured home-page!). Question 1: Should we worry about this at all? (my manager was worried about the load and so felt that we should). My solution to (1) was to use mod_rewrite [see footnote] to serve the pages from a plain HTTP VH. However, as James Treworgy points out, this leads to all sorts of unfriendly warnings in the browser. Question 2: Is anyone aware of a general solution for this "problem" - i.e. how to serve selected components of an SSL page via plain HTTP. Best regards, owen Boyle. [footnote: Our site is developed on an internal server and mirrored to an external server and so we cannot use explicit links to GIFs (e.g. src="http://..etc) while on the internal server.] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
