CGI question: safe passwords possible?

[Paul Rubin]

hwlgw at hotmail.com (Will Stuyvesant) writes:
> I can do HTTP Digest authentication but this is all very cumbersome
> and not compatible among hosts (as far as I understand).  But my
> conclusion is so much simpler that all this!  If you really want
> security, use HTTPS.  That is HTTP over a SSL connection (one of the
> many things I did not know).  Just let your host turn your whole site
> into HTTPS and then you are secure.

Using HTTPS for your whole site works, but it's not such a great idea
because HTTPS pages will bypass your browser and proxy caches.  That
(among other things) makes HTTPS pages load slower than HTTP pages.
Just use HTTPS for the pages where you need security (pages that take
passwords, pages where users enter financial data, etc.) and don't put
too many graphics on those pages and they won't slow down too much.
Use regular HTTP for the other pages.  See any retail site for
example.  They show you the products on regular HTTP, and their
shopping cart checkout page where you enter your credit card number is
HTTPS.

> Am I right?  Is it true, the part about not having to change your HTML
> and CGI code?  Well, except for some URLs in them maybe, but they
> could be stored in a separate configuration file.  I mean, you maybe
> have to change things like http://yourhost/yourloginpage.html to
> http://yourhost/yourloginpage.shtml or something?

You'd change http://yourhost/yourloginpage.html to
https://yourhost/yourloginpage.html (change http: to https:).  .shtml is
something else entirely (an old HTML template system that's not used
much any more).