On Thu, 18 Apr 2002, R. DuFresne wrote: > Would this not still leave port 80 open and bound?
It would, yes. > Is not just removing the port delcarations for 80 and only having 443 > set better and perhaps more secure? That's a case-by-case decision. In some cases, it would be insufficiently secure to leave open port 80 (as when the initial request contains privileged information). In other cases, it's only the response or subsequent requests that are privileged, so it's okay to let the initial request come in on port 80 as long as you immediately bounce them over to https. In that situation, leaving port 80 open is just a convenience for your users (in case they type http: by mistake), if you deem it safe to provide that convenience. --Cliff ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
