3

I was wondering, how can implement HTTPS on one part of website? Let`s say, I want to create internet shop. I want to be able browse all items without HTTPS (it is faster right?). And when I want to make a payment, then I want to use HTTPS. As much as I have read in other articles, when IIS is configured to use HTTPS, the configuration is applied for whole site :(

P.S. another question. What if I want the shop to be available only for users who already have accounts (it means users have to login to enter the shop)? Then user adds items to basket and then goes to the payment page (which is using HTTPS). Do they have to have another account dedicated for checkout and login to it in HTTPS page?

Augis
  • 1,903
  • 1
  • 16
  • 21

3 Answers3

5

There's nothing wrong with using HTTPS for an entire website - in fact it's encouraged. There was a performance downside to using HTTPS for all requests back in the 1990s when computer hardware wasn't as powerful as today, but now the only reason not to do all-site-HTTPS is that you can't afford the $20 a certificate costs :)

Anyway, the articles you've read are half-right. HTTPS support can only be enabled on a per-website basis, however you don't need to make HTTPs mandatory for an entire site: this is controlled by the "Require SSL/TLS" checkbox in IIS. If you leave that checkbox unchecked then users can still browse the site using non-secured HTTP. When it comes to the checkout page, then you can implement the "Require SSL/TLS" feature in your ASP.NET code (check the Request.IsSecureConnection property), such as by doing a redirection to the secure version of your site.

Dai
  • 141,631
  • 28
  • 261
  • 374
  • I see. Thank you for your answer. And what about the second accout? Does user need to have "secure" account? Because username and password he uses in HTTP is not secure and can be hacked, if I understand correctly? – Augis Feb 17 '13 at 21:40
  • 1
    Just make your entire site use HTTPs - that way everything will be sent securely, including usernames/passwords and credit card information. – Dai Feb 17 '13 at 21:59
1

There is a nice module that can help you to switch automatically from http to https in asp.net

I suggest to use http for all pages that have not to do with sensitive data, and only https on the one that have sensitive data.

The main reason is that if everything pass from https, including images, the data that travel are more and the time to encrypt and decrypt them is adding to the total time to show the page - so you simple can avoid it that extra delays and compute. After all, all major sites do the same (amazon, ebay, zazzle, cafepress, Endless, Crate and Brrel and other). They know something more - don't you think ?

Relative answer: Preparing my ASP.NET / MVC site to use SSL?

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
0

I've been told that if you want to implement HTTPS is it depends on how you want your website to be secure. There are SSLs certificates out there that will can be bought for a cheap price but the security can be limited. High security, of course it's really expensive but high on security. I believe if you want to make your website to be secure as possible, think about the possible and reasonable price that you can afford to make your website secure. Hopefully this link will be helpful.

10 cheapest SSL certificate

user1955712
  • 36
  • 4