9

I am managing a web application that dynamically flips between http and https depending on the page. I want to get rid a ton of extra code used to flip between http and https but I want to understand any implications before I continue.

Is there any advantage to serving part of a site using http over https?

Mr. Polywhirl
  • 42,981
  • 12
  • 84
  • 132
Kenneth J
  • 4,846
  • 11
  • 39
  • 56
  • 3
    Performance can be an issue as discussed here: http://stackoverflow.com/questions/149274/http-vs-https-performance – Kevin Stock Jun 27 '11 at 20:20
  • I run with HTTP warnings enabled so on your site I'd go mad as it continually switched between HTTP and HTTPS... – Neil Jun 27 '11 at 20:22

4 Answers4

7

Of course there is some performance drop when using https, but it is not significant unless you have an extremely busy server. See

Community
  • 1
  • 1
Bohdan
  • 1,987
  • 16
  • 23
3

HTTP is not a secure protocol and anyone can intercept the transmitted data in cleartext (e.g. session cookies, passwords, credit card numbers, sexual fetishes). If you can, you should provide consistent HTTPS service throughout.

That said, by the design of the public/private key security, you can only use HTTPS on a server where you have complete and sole control over the IP address, since the client first looks up the IP address, then requests the secure protocol, and only then makes the HTTP query. That means that you cannot deploy HTTPS on virtual hosts (shared hosting).

(Since you already have a partial HTTPS solution, I imagine that's not a problem for you, though.)

The other downside is that the secure handshake and later encryption require computing resources, so that if you have bazillions of connections, you may feel quite a hit on your server performance. That's for you to consider, though.

Short form: If you have a dedicated IP address and enough computing resources, always and exclusively use HTTPS.

Kerrek SB
  • 464,522
  • 92
  • 875
  • 1,084
  • Not *entirely* true... [Shared Hosting](http://en.wikipedia.org/wiki/Shared_web_hosting_service) *can* be IP based ;-) –  Jun 27 '11 at 20:26
  • @pst: To make security less than a sham, you need to be able to **authenticate** your peer. The only authentication you could do on a shared host is with the IP address, which is fairly useless if their could be any number of phishing clones of your website on the same host. You really want authentication by hostname, which in practice creates a hurdle for PKI-based authentication. (I think there've been some suggestions for transmitting the desired hostname ahead of time, though, are you referring to that?) – Kerrek SB Jun 27 '11 at 20:29
  • 1
    @Kerrek shared hosting usually means several hosts on a single physical computer. This can include a dedicated IP for each hosted site. So no tricks would be involved in this case and SSL 3.0 will work fine with domain-based certificates (i.e. no need for TLS domain extensions which you are referring to). – Eugene Mayevski 'Callback Jun 27 '11 at 21:11
  • 1
    @Eugene: Thanks. Yes, it's enough to have your own public IP address, you don't need to be physically the only one using the hardware. Cheers. – Kerrek SB Jun 27 '11 at 21:13
  • @Kerrek, there's also SNI (Server Name Indication) which is a number of client/servers now support. – Bruno Jun 27 '11 at 22:50
  • Bruno: I think that's part of the TLS extensions that Eugene mentioned. But yes, thanks. Has this already found widespread use? If so then that would remove one major excuse not to offer HTTPS! – Kerrek SB Jun 27 '11 at 22:54
3

Using http is faster than https obviously since you do not have the ssl handshake overhead during connection establishment or the extra encryption/decryption delay.
If you only need parts of your web site to be secure e.g. just encrypt the login credentials, then it makes sense to have the code for the redirection so that the interaction after that is faster due to plain-text http.
If there are many areas of your site that need to be secure, then you could make measurements using https completely and see if the performance is significantly affected.
If you see no significant performance issues (or the performance is acceptable), then you could simplify your software design and remove the redirection logic between http<->https and use https everywhere.

Cratylus
  • 52,998
  • 69
  • 209
  • 339
0

One of the differences between HTTP and HTTPS is that with HTTPS, you loose the ability to have intermediaries (caches, proxies, etc) between the client and server do anything useful with requests and responses because the content is encrypted. From a security point of view, this is a good thing because it prevents intermediaries from snooping or tampering with traffic. On the other hand, you reduce the opportunities for dealing with things like scalability, performance and evolvability.

Asad Ul Haq
  • 1