Hey just a quick question for any experts out there. I have a site that lets users interact through messages and to sign up you just make a username and password, verify your age, and optionally, add an email. There isn't really any sensitive information I suppose. Is it worth using https. Will it prevent session hi jacking and will it hinder performance?
It is worth it at the very least if you transmit passwords and email addresses, or any other private or personally identifiable information. Session hijacking is possible if there's any non-HTTPS communication, but that's a risk many websites are willing to accept, and depends on your situation.
Performance issues depend on your hardware and your stack, but there will be "some" performance hit from HTTPS vs HTTP. It's not enough to stop you from protecting passwords and sensitive user information.
I've thought about this before as well. I would think you would want a secure connection when users are logging in or changing information.
I think that as soon as you have some kind of login handling you should protect the password of the user. You can do that either through https or by using http digest authentication.
My main point for encryption is that quite a lot of your users will have the same password to your site as they have to their bank account or something similar. Even though the information at your site is not sensitive, the passwords may indeed protect something important.
Anytime you use a username/password you should absolutely secure the entire session with HTTPS. The cost to you is fairly minor compared to the potential cost to your users if their passwords are exposed. Research consistently shows that people use the same password for nearly every system they access.
Additionally, beyond the risk of password exposure, consider that your site is a communications tool. What's the potential risk or harm to your users of being impersonated? Of having malicious messages sent under their identity?
It's just not worth the risk. Secure the transport at the very least.
For some people, passwords and age would be considered sensitive information, though. Are you prepared to deal with some people who may have a different view than you?
Yes, SSL/TLS is required to maintain a securely authenticated session. If you have a login, then the login's post and THE ENTIRE SESSION must be protected by https. It is easier and more secure to forward all traffic to https, even if you have a simple web application.
The problem is that a session id (cookie) can be leaked if you use http. If that session is authenticated then a hacker can use that session id to authenticate with the server without a username and password.
This is clear requirement of The OWASP top 10 A3: "Broken Authentication and Session Management" http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
Sending a cookie over http is also a violation of CWE-614 and CWE-311.