We're not sure whether to run our VLE as http or https. If we use https then obviously all content is encrypted and we can use secure cookies meaning the likelihood of man-in-the-middle attacks or session stealing are very low indeed. However, there is a huge drawback in that if somebody embeds a You Tube video, or flickr photo-stream or the like (which can only be accessed by http) then MS Internet Explorer throws up scary looking warnings about the page containing 'secure and non-secure items' causing some users to panic and others to think that the VLE is somehow at fault. Using http means that such messages don't appear but that session stealing or man-in-the-middle attacks are a lot more likely. We could allow both http and https but this doesn't stop session stealing or man-in-the-middle attacks at all. Basically it's a no-win situation unless you ban people from using Internet Explorer which would be an admirable stance but which would never happen in practice! What approach have other institutions taken? Adam -- Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. The upcoming new WebLearn service: http://beta.weblearn.ox.ac.uk Shameless plug: http://www.myspace.com/wheresthebeachmusic Cheese of the month: Double Gloucester - shouldnt be overlooked! ***************** List information: ***************** Remember - replies go by default to the entire list. Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html To unsubscribe, email [log in to unmask] with the message: leave vle