69

What is difference between HTTP and HTTPS header?

  1. What are benefits of using HTTPS over HTTP?
  2. What settings needs to be done for making website HTTPS?
  3. Can we use HTTPS for only login purpose and then onwords HTTP?
  4. Is there any threat present in HTTPS?
  5. Is processing time required for HTTPS is greater than HTTP?
  6. Does HTTPS cost more than HTTP?
Somnath Muluk
  • 55,015
  • 38
  • 216
  • 226

2 Answers2

92
  1. What are benefits of using HTTPS over HTTP?

HTTPS means that you tunnel the HTTP protocol over TLS/SSL which encrypts the HTTP payload. So the benefit is that HTTP requests and responses are transmitted securely over the wire, e.g. your Internet Service Provider does not know what you're doing.

  1. How to use HTTPS?

Enable it at your endpoint, in general a web server in front of your application server. Most web servers (e.g. IIS, Apache) support this by configuration. Depending on your confidentiality requirements this may not be enough.

  1. Can we use HTTPS for only login purpose and then onwords HTTP?

Technically this is possible, but it introduces some security risks. Example: After a secured login you transmit session IDs identifying the user. If you transmit those session IDs unsecurely (no SSL), session hijacking becomes a risk ('man-in-the-middle')

  1. What settings needs to be done for making website HTTPS?

See #2. In public internet scenarios you should request (buy) a certificate from a certain Certificate Authority (CA), so that end user clients can verify whether they should trust your certificate.

  1. Is there any threat present in HTTPS?

In the protocol itself there is a slight risk of man-in-the-middle attacks. E.g. a proxy between the client and server could pretend to be the server itself (this requires a successful attack to network infrastructure, e.g. DNS). There are several other 'more obscure' risks that do not relate to the protocol itself, e.g.:

  • usage of an outdated encryption key length (e.g. 256 bit)
  • loss of private keys or unappropriate key management procedures (e.g. send via unencrypted email)
  • certificate authority failure (just look at press releases in 2011)
  1. Is processing time required for HTTPS is greater than HTTP?

Yes, key negotiation (handshaking) requires a lot CPU capacity.

nbro
  • 15,395
  • 32
  • 113
  • 196
home
  • 12,468
  • 5
  • 46
  • 54
  • 1
    @Somnath Muluk: You first accepted this answer, then you rejected it. May I ask for the reason - just tell me what's missing? – home Dec 05 '11 at 16:37
  • Regarding point #5, requiring certificate verification is there precisely to protect against DNS spoofing (and other forms of impersonation). – Bruno Dec 05 '11 at 17:11
  • @Bruno: I do not understand your question, could you please provide further details? – home Dec 05 '11 at 17:24
  • 2
    Say you have a legitimate certificate for www.example.com, if an attacker attacks the DNS infrastructure of the client, they may redirect www.example.com to their own IP address, but they won't get a valid certificate for that host name (a CA recognised by the client shouldn't issue one to them, unless they've also attacked the CA). Therefore, the certificate validation (+host name verification) should fail. HTTPS (and SSL/TLS) does protect you against network infrastructure attacks (provided the PKI/CAs are used correctly). – Bruno Dec 05 '11 at 17:58
  • @Bruno: Of course, you're correct. Maybe I should have further elaborated that one. No question, the client OR the CA must have been attacked as well. – home Dec 06 '11 at 07:30
8
  1. HTTPS stands for http secure and provides encryption.
  2. You normally delegate this task to your web server.
  3. Yes, it is possible.
  4. Depends on your web server, you should at least provide a certificate and if your site is public you should probably buy it.
  5. HTTPS does not eliminate all threats, but doesn't add any of its own.
  6. Yes, it takes a bit more resources.
realPK
  • 2,630
  • 29
  • 22
Michael Krelin - hacker
  • 138,757
  • 24
  • 193
  • 173