web Application served over HTTP/HTTPS?

Question

Possible Duplicate:
Why not use HTTPS for everything?

I know the basic differences between HTTP and HTTPS that is related to secure HTTP communication.

I would like to know that why some of the websites are served on both HTTP and HTTPS? In one of my earlier project, same website was served over port 8443 that is for HTTPS and port 80 that is for HTTP.

When I login to website I see a URL starting with https://www.my.org.etc

After login, all other pages also appear with https://www...., not a single screen is served over http://www....

Then why do we configure the application to be served over http at all? We can just serve the application over HTTPS only?

sometimes it for performance reasons and sometimes it is for client compatibility and sometimes it is just to avoid the cost of an official (CA-signed) certificate... often it is just the content is not really security sensitive... more and more companies sniff https traffic and can read anything going through in cleartext (that is any https communication from inside the company network) — Yahia, Aug 19 '11 at 05:18
I understand the point you are making and the answer is I do not know why the application is served over HTTP at all in production. It could be that you want consistency between dev and prod and in dev you do not install ssl certs on your web servers but you do in prod. — Michael Mann, Aug 19 '11 at 05:21

score 1 · Answer 1 · edited May 23 '17 at 12:26

1

Mostly for performance reasons, SSL handshaking. I only use https when I absolutely need to. See the following

HTTP vs HTTPS performance

edited May 23 '17 at 12:26

Community

1
1

answered Aug 19 '11 at 05:12

bencobb

618
4
11

This would be better as a comment than an answer. – Sean Vieira Aug 20 '11 at 00:15
@Sean Vieira Could you tell me what the guidelines are? – bencobb Aug 20 '11 at 03:58
apologies ... I misread your answer yesterday. I'm off base here, not you :-) – Sean Vieira Aug 20 '11 at 19:06

score 0 · Answer 2 · answered Aug 19 '11 at 05:12

Https have a little overhead with regards to http, what can make it slower.

Due to that it use to be common practice for most websites to server most pages from http and only serve those pages that require security over https. For example a payment pages or a personal data page.

Doing this works fine as long as all resources in the https page are serve from an https connection. You may remember seeing in some websites that the browsers alert you that even when the page is secure some elements of the page are not.

A common pitfall is serving css files or images from an http connection.

Today lots of sites opt for serving all the site from behind an https connection is security is a concern disregarding the (very little) overhead of doing so.

score 0 · Answer 3 · answered Aug 19 '11 at 05:16

In our application what we do is we server by default everything on https.

But what if the user typed http://yourapp.yourdomain. In that case it is a bad idea to show him that the url does not exist. So we redirect any http requests to https.

It is so because by default any request will be server over http and that's the browser default if you do not specify a protocol. So if you do not give the redirection from the http request to your https app then you stand a change to loose your audience .

score 0 · Answer 4 · answered Aug 19 '11 at 05:16

HTTPS is important for an information you want encrypted over the wire. Not everything needs to be encrypted over the wire and the additional overhead of the process of encryption and decryption may be overkill for your site.

If you have a page within your site that takes personal information such as credit card numbers, passwords, ssn#'s etc then this information should be encrypted. If you have other pages in your site that is showing images and text ie it is readonly public information then HTTPS would not be necessary.

web Application served over HTTP/HTTPS?

4 Answers4