On Thu, Apr 22, 2010 at 2:04 PM, Krist van Besien <krist.vanbesien@xxxxxxxxx> wrote: > There is in my opinion no good reason not to have https for the whole > session. The "performance" argument doesn't really apply anymore in a > time that you can buy several webservers for the cost of employing one > webserver specialist for a day... > > Krist > Spoken like a true European (No offence, I'm one too :) For many of the users of our (commercial) systems, if we forced SSL on, then a good proportion of our customers would not renew next year. SSL on is irrefutably a slower user experience than with it off; common resources cannot be cached, apart from on the local machine (and even then, many browsers won't). It vastly increases response times, as each connection must be set-up and teared-down, with all that lovely TLS forward and back. For users geographically remote, or with other high latency internet connections, or with old/slow computers, your website just became more unpleasant to use. The more unpleasant to use your site is, the less people use it. The less people use it, the less willing they will be to pay for it. In Europe (probably US now too) now we seem to assume a couple of things: 1) Any site we connect to will be less than 200ms away 2) We've got at least 2Mbit of bandwidth available 3) Any user will have a fast modern computer, with a big screen. For a lot of the world, at least one of those things will be incorrect. Using SSL to protect login prevents usernames and passwords passing in clear text. There are other methods you can use to mitigate session stealing. Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|