What are the pros and cons of a 100% HTTPS site?

Question

First, let me admit that what I know about HTTPS is pretty rudimentary. I don't know much about session security, encryption, or how either of those things is supposed to be done.

What I do know is that web security is important; that horror stories of XSS, CSRF, and database injections pop up over and over again. I know that a preventative stance against such exploits is better than a reactive one.

But the motivation for this question comes from a different point of view. I work at a site that regularly accepts payment from users. Obviously, the payments are sent over a secure channel (HTTPS). I mainly work on the CSS, HTML, and JavaScript of the site. What I've been told is that it is necessary to duplicate CSS, JavaScript, and image files before they can be called over HTTPS. So assume I have the following files:

• css/global.css
• js/global.js
• images/
  • logo.png
  • bg.png

The way I understand it, these files need to be duplicated before they can be "added" to the HTTPS. So a file can either be under security (HTTPS) or not.

If this is true, then this is a major hindrance. In even the smallest site, it would be a major pain to duplicate files and then have to maintain them every time you make a CSS or JS change. Obviously this could be alleviated by moving everything into the HTTPS.

So what I want to know is, what are the pros and cons of a site that is completely behind HTTPS? Does it cause noticeable overhead? Is it just foolish to place the entire site under encryption? Would users feel safer seeing the "secure" notifications in their browser during their entire visit? And last but not least, does it truly make for a more secure site? What can HTTPS not protect against?

Answer 1

You can serve the same content via HTTPS as you do via HTTP (just point it to the same document root).

Cons that may be major or minor, depending:

1. serving content over HTTPS is slower than serving it via HTTP.
2. certificates signed by well-known authorities can be expensive
3. if you don't have a certificate signed by a trusted authority (eg, you sign it yourself), visitors will get a warning

Those are pretty basic, but just a few things to note. Also, personally, I feel much better seeing that the entire site is HTTPS if it's anything related to financial stuff, obviously, but as far as general browsing, no, I don't care.

Answer 2

Noticeable overhead? Yes, but that matters less and less these days as clients and servers are much faster.

You don't need to make a copy of everything, but you do need to make those files accessible via HTTPS. Your HTTPS and HTTP services can use the same doc root.

Is it foolish to put the whole site under encryption? Typically no.

Would users feel safer? Probably.

Does it truly make for a more secure site? Only when dealing with the communication channel between the client and the server. Everything else is still up for grabs.