Menu
Is performance the only issue? Can't an https connection be used throughout a user's session? There is obviously less redirection happening!
I found this related question on http vs. https performance
Edit: Ok, I didn't mean 'used only for login'. Rather, what I'm trying to ask is if you come to a point where you need https anywhere on your site whether it be login or payments, why not make all communication to the site over http?
As an example, assume a blog site. Now, the blog posts might get created by sending an email. Further down the line, I might provide a 'login' and then an 'add post' action. In this scenario usually the https is used only for the login and then again regular http for actually adding the post. Since, now the need is to provide an 'admin' mode, so to speak, why not have all communication over https while a person is in the 'admin' mode, i.e. logged in.
915
While less of a concern for smaller sites with little traffic, HTTPS can add up should your site suddenly become popular. Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn't work with virtual hosts.
HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user's computer and the site. Users expect a secure and private online experience when using a website.
HTTPS uses the SSL/TLS protocol to encrypt communications so that attackers can't steal data. SSL/TLS also confirms that a website server is who it says it is, preventing impersonations. This stops multiple kinds of cyber attacks (just like food safety prevents illness).
If this happens, personal and sensitive information can be stolen. In order to make the communication private, websites use HTTPS. With HTTPS, the same conversation takes place between a server and web browser, except the information is protected by SSL/TLS [Secure Sockets Layer/Transport Layer Security] encryption.
Performance is not the only issue. If you're going to use HTTPS, you really need to check that all your content, including third party images and libraries, is available through HTTPS. Otherwise, you will generate annoying mixed content messages on IE:
http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/
This also means that you'll need separate SSL certificates for each host name that you use (e.g. images.example.com ) or some sort of wild card SSL certificate (e.g. for *.example.com).
A carefully configured site should only suffer a slight CPU hit on client and server using HTTPS:
http://blog.httpwatch.com/2009/01/15/https-performance-tuning/
73
A HTTPS connection can be used anywhere. It just transmits all data using SSL (TLS), which is a form of public/private and symetric encryption. It makes it very hard to decrypt the data sent to and from the server.
Due to the costs of encrypting and decrypting the data, it (in some cases) isn't used where sensitive data isn't transmitted. Not using it just reduces the server load. It should always be used when sensitive data needs to be transmitted. If you are entering (for example) credit card data, you should check that the protocol is https rather than http.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
