tags:

views:

46

answers:

1
+1  Q: 

Are there any downsides of running your full website in https

I have a website that makes heavy use of AJAX. There is an almost constant transfer of sensitive data.

Because of this I was thinking of running my full website in HTTPS, making it secure throughout your stay.

I was wondering if there are any downsides doing this. Performance is a huge issue for me, the faster the app runs the better. I can safely say that speed is a larger issue than the security.

On the security side, I already generate a new session id when sensitive data is transfered,so there is no real need to make it all https, but if there are no downsides why not use it.

Can someone please explain to me what the downsides are of using https for everything.

+2  A: 

Well, there is obviously the overhead of encrypting everything all the time. It's probably not a huge problem for the client (since it's only encrypting data for a single connection) but it can become a bottleneck on the server (since it has to encrypt everything for every connection).

You could implement an SSL proxy where you have a front-end web server that talks SSL to clients and then forwards requests to the "backend" webservers for real processing. The backend webservers would be firewalled and not use SSL.

Dean Harding  2010-03-23 05:57:47
I knew there had to be a downside. I have one follow up question tho. You talk about front-end and back-end web servers. Is this just one server but configured different, or do i have to install two seperate webserver(e.g apache,ngingx).
Saif Bechan  2010-03-23 06:09:49
I mean you have two physical machines. They can both run Apache if you like. One machine talks to the client/browser over SSL and simply forwards all requests to the backend server which does the actual processing (Apache has mod_proxy which makes this relatively easy). You can also buy dedicated SSL servers, though I tend to think that's overkill.
Dean Harding  2010-03-23 06:18:41
Ok i understand now. I think this is a little too much for me at this point. Ill just use SLL for the logins and the most important parts of the website.
Saif Bechan  2010-03-23 06:30:52
You can always just use SSL for everything and then move to the frontend/backend model once it becomes a problem. You'll still be able to serve 1000s of requests per minute with only one server - hopefully by the time you get to that level of use, you'll have found a way to monetize all those people :)
Dean Harding  2010-03-23 06:39:12

related questions

In .NET, will empty method calls be optimized out?
Good Resources for Relational Database Design
How to overload std::swap()
What is good server performance monitoring software for Windows?
Unit test execution speed (how many tests per second?)
Has anyone used Jaxer in production?
Replicating load related crashes in non-production environments
ADO.NET Connection Pooling & SQLServer
Has anyone run performance benchmarks comparing LINQ
Best tool for performance testing ASP.NET
Has anybody used Google Performance Tools?
Improving Productivity of my Teams
Scaling multithreaded applications on multicored machines
Is String.Format as efficient as StringBuilder
Faster way to find duplicates conditioned by time
.NET Remoting Speed and VPNs
How much database performance overhead when using LINQ?
CSharpCodeProvider Compilation Performance
C# DataTable Loop Performance
FileHelpers performance
ConfigurationManager.AppSettings Performance Concerns
Why are SYSTEM and taskmgr.exe taking up 100% of my CPU?
Speed Comparisons - Procedural vs. OO in interpreted languages
Anatomy of a "Memory Leak"
Fastest way to get value of pi