What are the pros and cons of a 100% HTTPS site?

Question

First, let me admit that what I know about HTTPS is pretty rudimentary. I don't know much about session security, encryption, or how either of those things is supposed to be done.

What I do know is that web security is important; that horror stories of XSS, CSRF, and database injections pop up over and over again. I know that a preventative stance against such exploits is better than a reactive one.

But the motivation for this question comes from a different point of view. I work at a site that regularly accepts payment from users. Obviously, the payments are sent over a secure channel (HTTPS). I mainly work on the CSS, HTML, and JavaScript of the site. What I've been told is that it is necessary to duplicate CSS, JavaScript, and image files before they can be called over HTTPS. So assume I have the following files:

• css/global.css
• js/global.js
• images/
  • logo.png
  • bg.png

The way I understand it, these files need to be duplicated before they can be "added" to the HTTPS. So a file can either be under security (HTTPS) or not.

If this is true, then this is a major hindrance. In even the smallest site, it would be a major pain to duplicate files and then have to maintain them every time you make a CSS or JS change. Obviously this could be alleviated by moving everything into the HTTPS.

So what I want to know is, what are the pros and cons of a site that is completely behind HTTPS? Does it cause noticeable overhead? Is it just foolish to place the entire site under encryption? Would users feel safer seeing the "secure" notifications in their browser during their entire visit? And last but not least, does it truly make for a more secure site? What can HTTPS not protect against?

Answer 1

You can serve the same content via HTTPS as you do via HTTP (just point it to the same document root).

Cons that may be major or minor, depending:

1. serving content over HTTPS is slower than serving it via HTTP.
2. certificates signed by well-known authorities can be expensive
3. if you don't have a certificate signed by a trusted authority (eg, you sign it yourself), visitors will get a warning

Those are pretty basic, but just a few things to note. Also, personally, I feel much better seeing that the entire site is HTTPS if it's anything related to financial stuff, obviously, but as far as general browsing, no, I don't care.

Answer 2

Noticeable overhead? Yes, but that matters less and less these days as clients and servers are much faster.

You don't need to make a copy of everything, but you do need to make those files accessible via HTTPS. Your HTTPS and HTTP services can use the same doc root.

Is it foolish to put the whole site under encryption? Typically no.

Would users feel safer? Probably.

Does it truly make for a more secure site? Only when dealing with the communication channel between the client and the server. Everything else is still up for grabs.

Answer 3

The traditional reason for not having the entire site behind SSL is processing time. It does take more work for both the client and the server to use SSL. However, this overhead is fairly small compared to modern processors.

If you are running a very large site, you may need to scale slightly faster if you are encrypting everything.

You also need to buy a certificate, or use a self signed one which may not be trusted by your users.

You also need a dedicated IP address. If you are on a shared hosting system, you need to have an IP that you can dedicate to only having SSL on your site.

But if you can afford a certificate and private ip and don't mind needed a slightly faster server, using SSL on your entire site is a great idea.

With the number of attacks that SSL mitigates, I would say do it.

Answer 4

You do not need multiple copies of these files for them to work with HTTPs. You may need to have 2 copies of these files if the hosting setup has been configured in such that you have a separate https directory. So to answer your question - no duplicate files are not required for HTTPs but depending on the web hosting configuration - they may be.

In regards to the pros and cons of https vs http there are already a few posts addressing that. http://stackoverflow.com/questions/149274/http-vs-https-performance http://stackoverflow.com/questions/1468648/https-vs-http-speed-comparison

HTTPs only encrypts the data between the client computer and the server. It does not software holes or issues such as remote javascript includes. HTTPs doesn't make your application better - it only helps secure the data between the user and your app. You need to make sure your app has no security holes, practice filtering all data, SQL, and review security logs frequently.

However if you're only responsible for the frontend part of the site I wouldn't worry about it but would bring up concerns of security with the main developer for the backend.

Answer 5

You've been misinformed. The css, js, and image files need not be duplicated assuming you've set up the http and https mapping to point to the same physical website on the server. The only important thing is that these files are referenced with https when the page you're looking at is also under https. This will prevent the dreaded security message that says that some objects on the page are not secured.

For every other page where you're running the site under http (unsecured) you can reference those same files in the same locations, but with an http address.

To answer your other question, there would indeed be a performance penalty to put the entire site under https. The server has to work hard to encrypt everything it sends over the wire. And then some not-so-old browsers won't cache https content to disk by default, which of course will result in an even heavier load on the server.

Because I like my sites to be as responsive as possible, I'm always selective about which sections of a site I choose to be SSL-encrypted. In most typical e-commerce sites, the only pages that need SSL encryption are the login, registration, and checkout pages.

Answer 6

One of the concerns is that https traffic could be blocked, for example on Apple computers if you set parental control on it blocks https traffic because it can't read the encrypted content, you can read here:

http://support.apple.com/kb/ht2900

https note: For websites that use SSL encryption (the URL will usually begin with https), the Internet content filter is unable to examine the encrypted content of the page. For this reason, encrypted websites must be explicitly allowed using the Always Allow list. Encrypted websites that are not on the Always Allow list will be blocked by the automatic Internet content filter.