Comments on: Including mixed (SSL and non-SSL) content on your secure site https://grey-panther.net/2007/01/including-mixed-ssl-and-non-ssl-content-on-your-secure-site.html Just another WordPress site Sun, 21 Sep 2008 07:17:42 +0000 hourly 1 https://wordpress.org/?v=6.9 By: Cd-MaN https://grey-panther.net/2007/01/including-mixed-ssl-and-non-ssl-content-on-your-secure-site.html#comment-683 Sun, 21 Sep 2008 07:17:42 +0000 https://grey-panther.net/?p=941#comment-683 @damon: there is a disclaimer at the beginning of the post 🙂

I’ve done some research and here is what I’ve come up with:

IE has a well known bug whereby it doesn’t download resources over SSL if they have 0 cache expiry time. So the resources to be downloaded at all, you should set an expiry time in the future (this is true of IE6, I don’t know if it got fixed in IE7/8).

Firefox 2 doesn’t cache SSL content to disk by default, however version 3 seems to do so under some conditions.

My conclusion is: yes, it does introduce some scalability problems. In general, you can rely on it being cached during the browsing session, but not in between browsing sessions. As always, it is a tradeoff between security (which becomes more important as the use of wireless – an easy to sniff medium – becomes very widespread) and costs.

]]> By: Damon Smith https://grey-panther.net/2007/01/including-mixed-ssl-and-non-ssl-content-on-your-secure-site.html#comment-685 Sat, 20 Sep 2008 12:05:33 +0000 https://grey-panther.net/?p=941#comment-685 Yes, the W3C spec states that SSL’ed assets must not be cached, so SSL’ing an entire site causes huge server load and client side performance issues.

If you are running a public facing website then this will usually mean the difference between 1 page request for returning customers and 20 hits.

I would really consider putting some heavy disclaimers at the start of this article that it is only for people who aren’t interested in their website scaling.

]]> By: Unknown https://grey-panther.net/2007/01/including-mixed-ssl-and-non-ssl-content-on-your-secure-site.html#comment-871 Wed, 24 Jan 2007 07:52:06 +0000 https://grey-panther.net/?p=941#comment-871 The reason I’m considering mixing SSL and non-SSL on the same page is because of caching. As far as I understand, SSL content is not cached. So if you load all your assets via SSL (images, stylesheets, etc), the browser has to download it on every page view. This is a huge performance issue. I think there is a small period of time when the negotiated SSL key is still valid, and a page view during that small window will allow the asset to be pulled from cache. But I think the data is stored encrypted in the browser cache, so once the key expires and is re-negotiated, that data is invalid. And it is a noticable performance hit.

]]> By: Unknown https://grey-panther.net/2007/01/including-mixed-ssl-and-non-ssl-content-on-your-secure-site.html#comment-876 Mon, 08 Jan 2007 07:31:34 +0000 https://grey-panther.net/?p=941#comment-876 Yeah I’m glad you liked the article, I am still using it without mod_proxy to this day, works great on IE7

]]>