Welcome to WebmasterWorld Guest from 18.104.22.168
[edited by: aakk9999 at 11:45 am (utc) on Mar 21, 2016]
[edit reason] Fixed http link [/edit]
TLS isn't up to the job without better credential protection says RFC
As part of the long process to make the Internet more secure, user credentials need better protection than the transaction layer security (TLS) standard.
A new experimental-level, RFC-7804, proposes applying a 2010 protocol called SCRAM for the purpose.
both Firefox and ChromiumWe're essentially talking about HTTP/2 here, to give it a name, which all the major browser manufacturers support, but they're supporting it only if it's used over an encrypted connection. HTTP/2 offers many advantages in the efficient use of TCP, like "multiplexing", which will allow many concurrent requests over a single TCP connection, potentially leading to great increases in speed. It will also greatly reduce the number of network round trips.
TLS isn't up to the job without better credential protection says RFCThey've known about the certificate problem as something that needed fixing since early on in Heartbleed, and steps have been taken to eliminate those problems and to clean up what's been a bunch of shoddy hosts and potential security holes. Google, among others, have suggested alternative approaches, and the article cited even discusses one, but that isn't featured in the alarmist headlines which "sell papers". It's there in the article. I suspect also that free certificates are going to be one way of cleaning up some shoddy practices.
joined:Mar 15, 2016
@netmeg do you do a 301 redirect from http to https sitewide when you do your switch.
In the case of the http-to-https redirection, the use of RewriteRule would be appropriate if you don't have access to the main server configuration file, and are obliged to perform this task in a .htaccess file instead.