6

I have a site that works very well when everything is in HTTPS (authentication, web services etc). If I mix http and https it requires more coding (cross domain problems).

I don't seem to see many web sites that are entirely in HTTPS so I was wondering if it was a bad idea to go about it this way?

Edit: Site is to be hosted on Azure cloud where Bandwidth and CPU usage could be an issue...

EDIT 10 years later: The correct answer is now to use https only.

vidalsasoon
  • 4,365
  • 1
  • 32
  • 40

7 Answers7

5

you lose a lot of features with https (mainly related to performance)

  • Proxies cannot cache pages
  • You cannot use a reverse proxy for performance improvement
  • You cannot host multiple domains on the same IP address
  • Obviously, the encryption consumes CPU

Maybe that's no problem for you though, it really depends on the requirements

Bobby Jack
  • 15,689
  • 15
  • 65
  • 97
chris166
  • 4,769
  • 4
  • 24
  • 25
  • Web browser won't cache content either. – BacMan Jun 12 '09 at 15:26
  • 3
    You can use a reverse proxy with https, if the reverse proxy talks https to the client and plain http to the backend servers. – dave4420 Jun 12 '09 at 15:33
  • 4
    Web browsers DO cache HTTPS content. The caching behavior depends only on the Cache-control header. Usually, when HTTPS is used for transactions, banking etc, the Cache-control is set to 'no-cache' – chris166 Jun 12 '09 at 15:54
  • 1
    You can run reverse proxies talking https both ways too -- just need to be a bit fancy with dns and / or NAT to make it work. – Wyatt Barnett Feb 10 '14 at 03:05
4

HTTPS decreases server throughput so may be a bad idea if your hardware can't cope with it. You might find this post useful. This paper (academic) also discusses the overhead of HTTPS.

Community
  • 1
  • 1
RichardOD
  • 28,883
  • 9
  • 61
  • 81
  • 1
    The link to the academic paper is dead. Could you post a live one or just the title of the paper? Pretty please? – hannson Jun 20 '13 at 13:22
  • 1
    This is why I really love the WayBackMachine! https://web.archive.org/web/20100215150018/http://iweb.tntech.edu/hexb/publications/https-STAR-03122003.pdf – Hath1 Feb 18 '14 at 15:11
4

If you have HTTP requests coming from a HTTPS page you'll force the user to confirm the loading of unsecure data. Annoying on some websites I use.

Adrian Lynch
  • 8,237
  • 2
  • 32
  • 40
  • 1
    Just to expand on this a bit with an example: if you show images from another URL (e.g. a content or image server) that are themselves not encrypted (e.g. http://myimageserver.com/Image.jpg) then the browser will pop up a warning that some parts of the page are not encrypted. – Mark Brittingham Nov 03 '09 at 17:43
3

It is a good idea to use all-HTTPS - or at least provide knowledgeable users with the option for all-HTTPS.

If there are certain cases where HTTPS is completely useless and in those cases you find that performance is degraded, only then would you default to or permit non-HTTPS.

yfeldblum
  • 65,165
  • 12
  • 129
  • 169
3

This question and especially the answers are OBSOLETE. This question should be tagged: <meta name="robots" content="noindex"> so that it no longer appears in search results.

To make THIS answer relevant:

  1. Google is now penalizing website search rankings when they fail to use TLS/https. You will ALSO be penalized in rankings for duplicate content, so be careful to serve a page EITHER as http OR https BUT NEVER BOTH (Or use accurate canonical tags!)

  2. Google is also aggressively indicating insecure connections which has a negative impact on conversions by frightening-off would-be users.

  3. This is in pursuit of a TLS-only web/internet, which is a GOOD thing. TLS is not just about keeping your passwords secure — it's about keeping your entire world-facing environment secure and authentic.

  4. The "performance penalty" myth is really just based on antiquated obsolete technology. This is a comparison that shows TLS being faster than HTTP (however it should be noted that page is also a comparison of encrypted HTTP/2 HTTPS vs Plaintext HTTP/1.1).

  5. It is fairly easy and free to implement using LetsEncrypt if you don't already have a certificate in place.

  6. If you DO have a certificate, then batten down the hatches and use HTTPS everywhere.

TL;DR, here in 2019 it is ideal to use TLS site-wide, and advisable to use HTTP/2 as well.

</soapbox>
Myndex
  • 3,952
  • 1
  • 9
  • 24
3

If you've no side effects then you are probably okay for now and might be happy not to create work where it is not needed.

However, there is little reason to encrypt all your traffic. Certainly login credentials or other sensitive data do. One the main things you would be losing out on is downstream caching. Your servers, the intermediate ISPs and users cannot cache the https. This may not be completely relevant as it reads that you are only providing services. However, it completely depends on your setup and whether there is opportunity for caching and if performance is an issue at all.

dove
  • 20,469
  • 14
  • 82
  • 108
  • Thanks, didn't know about the caching. Caching could be very important for me on my main page as there will be binary data loaded from the service. – vidalsasoon Jun 12 '09 at 15:38
1

I hate running into pointlessly all-https sites that handle nothing that really requires encryption. Mainly because they all seem to be 10x slower than every other site I visit. Like most of the documentation pages on developer.mozilla.org will force you to view it with https, for no reason whatsoever, and it always takes long to load.

David
  • 2,164
  • 13
  • 11