Good practice or bad practice to force entire site to HTTPS?

tags:

https
iis7

views:

332

answers:

+3 Q:

Good practice or bad practice to force entire site to HTTPS?

I have a site that works very well when everything is in HTTPS (authentication, web services etc). If I mix http and https it requires more coding (cross domain problems).

I don't seem to see many web sites that are entirely in HTTPS so I was wondering if it was a bad idea to go about it this way?

Edit: Site is to be hosted on Azure cloud where Bandwidth and CPU usage could be an issue...

+2 A:

HTTPS decreases server throughput so may be a bad idea if your hardware can't cope with it. You might find this post useful. This paper (academic) also discusses the overhead of HTTPS.

RichardOD 2009-06-12 15:22:38

+5 A:

you lose a lot of features with https (mainly related to performance)

Proxies cannot cache pages
You cannot use a reverse proxy for performance improvement
You cannot host multiple domains on the same IP address
Obviously, the encryption consumes CPU

Maybe that's no problem for you though, it really depends on the requirements

chris166 2009-06-12 15:23:57

Web browser won't cache content either.

BacMan 2009-06-12 15:26:48

You can use a reverse proxy with https, if the reverse proxy talks https to the client and plain http to the backend servers.

Dave Hinton 2009-06-12 15:33:55

Web browsers DO cache HTTPS content. The caching behavior depends only on the Cache-control header. Usually, when HTTPS is used for transactions, banking etc, the Cache-control is set to 'no-cache'

chris166 2009-06-12 15:54:27

+4 A:

If you have HTTP requests coming from a HTTPS page you'll force the user to confirm the loading of unsecure data. Annoying on some websites I use.

Adrian Lynch 2009-06-12 15:24:58

Just to expand on this a bit with an example: if you show images from another URL (e.g. a content or image server) that are themselves not encrypted (e.g. http://myimageserver.com/Image.jpg) then the browser will pop up a warning that some parts of the page are not encrypted.

Mark Brittingham 2009-11-03 17:43:30

+2 A:

If you've no side effects then you are probably okay for now and might be happy not to create work where it is not needed.

However, there is little reason to encrypt all your traffic. Certainly login credentials or other sensitive data do. One the main things you would be losing out on is downstream caching. Your servers, the intermediate ISPs and users cannot cache the https. This may not be completely relevant as it reads that you are only providing services. However, it completely depends on your setup and whether there is opportunity for caching and if performance is an issue at all.

dove 2009-06-12 15:26:02

Thanks, didn't know about the caching. Caching could be very important for me on my main page as there will be binary data loaded from the service.

vidalsasoon 2009-06-12 15:38:23

+2 A:

I hate running into pointlessly all-https sites that handle nothing that really requires encryption. Mainly because they all seem to be 10x slower than every other site I visit. Like most of the documentation pages on developer.mozilla.org will force you to view it with https, for no reason whatsoever, and it always takes long to load.

David 2009-06-12 15:57:14

It is a good idea to use all-HTTPS - or at least provide knowledgeable users with the option for all-HTTPS.

If there are certain cases where HTTPS is completely useless and in those cases you find that performance is degraded, only then would you default to or permit non-HTTPS.

Justice 2009-11-03 17:38:31

ansaurus

tags:

views:

answers:

Good practice or bad practice to force entire site to HTTPS?

related questions