[dokuwiki] Re: ssl for acl'ed pages
- From: Robin Getz <robin.getz@xxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Thu, 10 Mar 2011 17:31:44 -0500
On Thu 10 Mar 2011 16:33, Andreas Gohr pondered:
> > This patch does a https redirect on those pages which are ACL controlled.
>
> We rejected earlier patches that did SSL redirects for the logins for
> the following reasons:
>
> - it can easily be done using server rewrites
Not on hosted machines.
> - the SSL host might not have the same domain, so you'd need to have
> another config to configure the SSl host name
sure. I can add a config option - that's easy :)
> - limiting SSL to certain parts of the site usually leads to have
> unsecured parts in the page (like images) that compromise the
> whole security
I'm not sure I understand this part. Can you elaborate, or point me to a old
discussion? (I couldn't find anything when I searched).
> > Other pages are left alone, as to have lower load on the server.
>
> For modern server and client hardware the SSL overhead isn't really an
> issue anymore (there was a popular article about that recently - maybe
> someone has the URL bookmarked?)
I think that might be only true when SSL sessions are enabled in the server -
plus my understanding is that even when SSL sessions are enabled, on low
bandwidth, high packet loss, high latency connections (some mobile devices)
the additional roundtrips required by TLS might render something slow into
something unusable...
I agree that a well connected machine, with a properly configured server -
this isn't going to be an issue.
> I recommend to switch your whole site to SSL instead.
Some people find it distasteful to be forced to browse a site via SSL, even
when they are not logged in...
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
