Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why not use HTTPS for everything?

Tags:

security

https

People also ask

Why dont we use HTTPS for all Web traffic?

While less of a concern for smaller sites with little traffic, HTTPS can add up should your site suddenly become popular. Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn't work with virtual hosts.

Should you always use HTTPS?

Privacy and integrity by defaultBy always using HTTPS, web services don't have to make a subjective judgment call about what's “sensitive”. This leaves less room for error, and makes deployment simpler and more consistent. Widespread use of HTTPS also means that clients can begin assuming HTTPS with more confidence.

Is everything with HTTPS safe?

HTTPS doesn't mean safe. Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.

Why you should not use HTTP?

The problem is that HTTP data is not encrypted, so can be intercepted by third parties to gather data passed between the two systems. This can be addressed by using a secure version called HTTPS, where the S stands for Secure.


In addition to the other reasons (especially performance related) you can only host a single domain per IP address* when using HTTPS.

A single server can support multiple domains in HTTP because the Server HTTP header lets the server know which domain to respond with.

With HTTPS, the server must offer its certificate to the client during the initial TLS handshake (which is before HTTP starts). This means that the Server header hasn't been sent yet so there is no way for the server to know which domain is being requested and which certificate (www.foo.com, or www.bar.com) to respond with.


*Footnote: Technically, you can host multiple domains if you host them on different ports, but that is generally not an option. You can also host multiple domains if your SSL certificate is has a wild-card. For example, you could host both foo.example.com and bar.example.com with the certificate * .example.com


I can think of a couple reasons.

  • Some browsers may not support SSL.
  • SSL may decrease performance somewhat. If users are downloading large, public files, there may be a system burden to encrypt these each time.

SSL/TLS isn't used nearly often enough. HTTPS must be used for the entire session, at no point can a Session ID be sent over HTTP. If you are only useing https for logging in then you are in clear violation of The OWASP top 10 for 2010 "A3: Broken Authentication and Session Management".


Why not send every snail-mail post in a tamper-proof opaque envelope by Registered Mail? Someone from the Post Office would always have personal custody of it, so you could be pretty sure that no one is snooping on your mail. Obviously, the answer is that while some mail is worth the expense, most mail isn't. I don't care if anyone reads my "Glad you got out of jail!" postcard to Uncle Joe.

Encryption isn't free, and it doesn't always help.

If a session (such as shopping, banking, etc.) is going to wind up using HTTPS, there's no good reason not to make the whole session HTTPS as early as possible.

My opinion is that HTTPS should be used only when unavoidably necessary, either because the request or the response needs to be safeguarded from intermediate snooping. As an example, go look at the Yahoo! homepage. Even though you're logged in, most of your interaction will be over HTTP. You authenticate over HTTPS and get cookies that prove your identity, so you don't need HTTPS to read news stories.