tags:

views:

969

answers:

13
+24  Q: 

Why not use HTTPS for everything?

If I was setting up a server, and had the SSL certificate(s), why wouldn't I use HTTPS for the entire site instead of just for purchases/logins? I would think it would make more sense just to encrypt the entire site, and protect the user entirely. It would prevent problems such as deciding what has to be secured because everything would be, and it's not really an inconvenience to the user.

If I was already using an HTTPS for part of the site, why wouldn't I want to use it for the entire site?

This is a related question: http://stackoverflow.com/questions/1361531/why-is-https-only-used-for-login, but the answers are not satisfactory. The answers assume you've not been able to apply https to the entire site.

+11  A: 

I can think of a couple reasons.

  • Some browsers may not support SSL.
  • SSL may decrease performance somewhat. If users are downloading large, public files, there may be a system burden to encrypt these each time.
  • You will probably want the home page accessible via HTTP, so that users don't have to remember to type https to get to it.
WhirlWind  2010-04-30 16:25:38
What browsers do not support SSL?
Malfist  2010-04-30 16:27:12
Some compiles of lynx will not support it. If you are only supporting newer browsers, you should be fine.
WhirlWind  2010-04-30 16:28:02
I believe SSL main performance problem comes from establishing the connection. / https can redirect to http.
Tom Hawtin - tackline  2010-04-30 16:34:13
The SSL performance burden is highly dependent on the characteristics of the site. AES can be fairly CPU-intensive to perform, for example.
WhirlWind  2010-04-30 16:35:23
Do you have benchmarks for the performance hit?
Malfist  2010-04-30 16:50:53
I was looking through this: http://iweb.tntech.edu/hexb/publications/https-STAR-03122003.pdf "Once the server is saturated, the system performance of HTTPS achieves around 67% of HTTP in terms of throughput."
WhirlWind  2010-04-30 17:09:28
lynx and w3m work fine with ssl on my system.
Rook  2010-04-30 20:27:54
@The Rook That's why I used the adjective "some." Saying "all browsers support SSL" would be incorrect.
WhirlWind  2010-04-30 20:47:43
@WhirlWind yeah I respectfully disagree with almost everything you have said. My main concern is that the cookie value will be leaked when you are not using https for some pages. Make sure to read A3: "Broken authentication and session management" in the owasp top 10: http://www.owasp.org/index.php/Category%3aOWASP_Top_Ten_Project
Rook  2010-04-30 20:52:43
+5  A: 

https is more resource-hungry than the normal http.

It demands more from both the servers and the clients.

Johan  2010-04-30 16:26:33
How much more? Can you provide benchmarks?
Malfist  2010-04-30 16:31:26
A: 

In addition to WhirlWind's response, you should consider the cost and applicability of SSL certificates, access issues (it's possible, though unlikely, that a client may not be able to communicate via the SSL port), etc.

Using SSL isn't a guaranteed blanket of security. This type of protection needs to be built into the architecture of the application, rather than trying to rely on some magic bullet.

David Lively  2010-04-30 16:28:04
Since the user's already protecting part of the site, the cost of the cert is more or less moot.
futureelite7  2010-04-30 16:30:57
@futureelite7 good point, but probably relevant to others that may be researching this topic in the future.
David Lively  2010-04-30 16:32:56
Featurism is the enemy of security. The majority of the weaknesses in my own stuff, have roots in some ill-advised feature that myself or a predecessor accepted into the product plan. I find that getting a feature kicked off because it causes a security vulnerability doesn't make you any more popular than declining it in the first place. Popularity SHOULDN'T matter, but sadly it can and does. In your shoes, I would ask myself how much I really want to deal with unsecured users, or whether the app is even suitable for users who can't use encryption (think: banking, politics, activism).
Jason  2010-04-30 19:58:09
A: 

Well, the obvious reason is performance: all of the data will have to be encrypted by the server before transmission and then decrypted by the client upon receipt, which is a waste of time if there's no sensitive data. It may also affect how much of your site is cached.

It's also potentially confusing for end users if all the addresses use https:// rather than the familiar http://. Also, see this answer:

http://stackoverflow.com/questions/2745895/why-not-always-use-https-when-including-a-js-file/2745920#2745920

Will Vousden  2010-04-30 16:28:21
why would it confuse the users? How many actually look at the protocol of the uri?
Malfist  2010-04-30 16:32:15
A: 

https requires the server to encrypt and decrypt client requests and responses. The performance impact will add up if the server is serving lots of clients. That's why most current implementations of https is limited to password authentication only. But with increasing computing power this may change, after all Gmail is using SSL for the entire site.

futureelite7  2010-04-30 16:30:13
A: 

Actually SSL isn't used often enough. HTTPS must be used for the entire session, at no point can a Session ID be sent over HTTP. If you are only useing https for logging in then you are in clear violation of The OWASP top 10 for 2010 "A3: Broken Authentication and Session Management".

Rook  2010-04-30 17:11:45
This may be too broad of an assumption. There is no reason session state can't be managed separatly for http and https via single https login operation. Its likely to be more work than its worth and invite security related bugs but would not seem to automatically constitute a clear violation.
Einstein  2010-04-30 18:19:44
@Einstein please read the OWASP A3, it is very clearly worded. Keep in mind that the attacker doesn't need the username/password if he has the cookie from an authenticated session.
Rook  2010-04-30 18:44:13
Site provides mixed https/http. https login provides separate low and high security session tokens. Low security tokens assigned only to http session would not work for operations requiring high security. From my read OWASP A3 is mearly illuminating the basic problem of possibility of high security access via low security transport.
Einstein  2010-04-30 20:34:54
@Einstein So then you disagree that Session id's are used to authenticate web browsers? Take into consideration this attack pattern, in xss attacks you are trying to obtain the value of `document.cookie` so that the attacker can use this to authenticate. This value can also be obtained by sniffing traffic, which https stops. I'm not exactly sure what your point is.
Rook  2010-04-30 20:50:25
In your scenario the session id for http would be worthless for https protected resources if a system were to create two separate sessions for a single authentication action to allow both protocols to be used without https session and associated resources exposed by the http session cookie. For example http session might be used for identification of access to public resources for reporting purposes or access to public message boards but they would not be valid for secure resources.
Einstein  2010-05-01 21:48:04
A: 

I was told that on one project at our company, they found that the bandwidth taken up by SSL messages was significantly more than for plain messages. I believe someone told me it was an astounding 12 times as much data. I have not verified this myself and it sounds very high, but if there is some sort of header added to each page and most pages have a small amount of content, that may not be so far out.

That said, the hassle of going back and forth between http and https and keeping track of which pages are which seems like too much effort to me. I only once tried to build a site that mixed them and we ended up abandoning the plan when we got tripped up by complex things like pop-up windows created by Javascript getting the wrong protocol attached to them and that sort of thing. We ended up just making the whole site https as less trouble. I guess in simple cases where you just have a login screen and a payment screen that need to be protected and they're simple pages, it wouldn't be a big deal to mix-and-match.

I wouldn't worry much about the burden on the client to decrypt. Normally the client is going to be spending a lot more time waiting for data to come over the wire than it takes to process it. Until users routinely have gigabit/sec internet connections, client processing power is probably pretty irrelevant. The CPU power requried by the server to encrypt pages is a different issue. There might well be issues of it not being able to keep up with hundreds or thousands of users.

Jay  2010-04-30 17:12:37
The extra bandwidth is small even in the worst case.
GregS  2010-05-01 11:40:15
+1  A: 

For high latency links the initial TLS handshake requires additional round trips to validate the certificate chain (including sending any intermediate certificates), agree on cipher suites and establish a session. Once a session is established subsequent requests may utilize session caching to reduce the number of round trips but even in this best case there is still more round trips than a normal HTTP connection requires. Even if encryption operations were free round trips are not and can be quite noticable over slower network links especially if the site does not leverage http pipelining. For broadband users within a well connected segment of the network this is not an issue. If you do business internationally requring https can easily cause noticable delays.

There are additional considerations such as server maintenance of session state requiring potentially significantly more memory and of course data encryption operations. Any small sites practically need not worry about either given server capability vs cost of todays hardware. Any large site would easily be able to afford CPU /w AES offload or add-on cards to provide similar functionality.

All of these issues are becoming more and more of a non-issue as time marches on and the capabilities of hardware and the network improve. In most cases I doubt there is any tangable difference today.

There may be operational considerations such as administrative restrictions on https traffic (think intermediate content filters..et al) possibly some corporate or governmental regulations. Some corporate environment require data decryption at the perimeter to prevent information leakage ... interference with hotspot and similiar web based access systems not capable of injecting messages in https transactions. At the end of the day in my view reasons for not going https by default are likely to be quite small.

Einstein  2010-04-30 18:06:39
+4  A: 

Why not send every snail-mail post in a tamper-proof opaque envelope by Registered Mail? Someone from the Post Office would always have personal custody of it, so you could be pretty sure that no one is snooping on your mail. Obviously, the answer is that while some mail is worth the expense, most mail isn't. I don't care if anyone reads my "Glad you got out of jail!" postcard to Uncle Joe.

Encryption isn't free, and it doesn't always help.

If a session (such as shopping, banking, etc.) is going to wind up using HTTPS, there's no good reason not to make the whole session HTTPS as early as possible.

My opinion is that HTTPS should be used only when unavoidably necessary, either because the request or the response needs to be safeguarded from intermediate snooping. As an example, go look at the Yahoo! homepage. Even though you're logged in, most of your interaction will be over HTTP. You authenticate over HTTPS and get cookies that prove your identity, so you don't need HTTPS to read news stories.

David M  2010-04-30 18:21:38
Nice mail analogy.
typoknig  2010-05-01 01:27:56
+9  A: 

The biggest reason for me, beyond system load, is that it breaks name based virtual hosting. With SSL, it's one site - one IP address. This is pretty expensive, as well as harder to administrate.

Adam Wright  2010-04-30 18:26:36
+1 Its *the* reason why Google App Engine doesn't support https on custom domains. Waiting for TLS-SNI to be more widely supported.
sri  2010-04-30 18:52:20
You could get this back with SSL terminating hardware. And if system load is a problem (it is for a lot of people!) then hardware SSL may be the way to go anyway.
Jason  2010-04-30 19:40:36
A: 

Many crawlers such as search engine bots cannot (or will not) handle SSL encrypted pages.

John Conde  2010-04-30 18:34:50
Any spider worth its salt does. Plus everyone uses google anyway.
Rook  2010-04-30 20:27:14
+3  A: 

In addition to the other reasons (especially performance related) you can only host a single domain per IP address* when using HTTPS.

A single server can support multiple domains in HTTP because the Server HTTP header lets the server know which domain to respond with.

With HTTPS, the server must offer its certificate to the client during the initial TLS handshake (which is before HTTP starts). This means that the Server header hasn't been sent yet so there is no way for the server to know which domain is being requested and which certificate (www.foo.com, or www.bar.com) to respond with.

*Footnote: Technically, you can host multiple domains if you host them on different ports, but that is generally not an option. You can also host multiple domains if your SSL certificate is has a wild-card. For example, you could host both foo.example.com and bar.example.com with the certificate * .example.com

Eadwacer  2010-05-01 00:36:14
Wouldn't having a wildcard SSL certificate solve this problem?
Rob  2010-05-03 18:06:40
+1 For the nice explanation.
Echo  2010-05-04 19:50:02
A: 

One other small point (maybe someone can verify), If a user types data into a form item such as a text box and then for some reason refreshes the page or the server crashes out for a second, the data the user entered is lost using HTTPS but is preserved using HTTP.

Note: I'm not sure if this is browser specific but it certainly happens with my Firefox browser.

toc777  2010-06-23 10:14:21

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security