发表新帖
发表新帖

Why not use HTTPS for everything?

后端 未结
关注
15 1069
予麋鹿
予麋鹿 2020-12-02 07:54

If I was setting up a server, and had the SSL certificate(s), why wouldn\'t I use HTTPS for the entire site instead of just for purchases/logins? I would think it would make

相关标签:
15条回答
  • 不要未来只要你来
    2020-12-02 08:55

    You should use HTTPS everywhere, but you will lose the following:

    1. You should definitely not use SSL Compression or HTTP Compression over SSL, due to BREACH and CRIME attacks. So no compression if your response contains session or csrf identifiers. You can mitigate this by putting your static resources (images, js, css) on a cookie-less domain, and use compression there. You can also use HTML minification.

    2. One SSL cert, one IP address, unless using SNI, which doesn't work on all browsers (old android, blackberry 6, etc).

    3. You shouldn't host any external content on your pages that don't come over SSL.

    4. You lose the outbound HTTP Referer header when browser goes to an HTTP page, which may or may not be a problem for you.

    0 讨论(0)
  • 独厮守ぢ
    2020-12-02 08:58

    I can think of a couple reasons.

    • Some browsers may not support SSL.
    • SSL may decrease performance somewhat. If users are downloading large, public files, there may be a system burden to encrypt these each time.
    0 讨论(0)
  • 逝去的感伤
    2020-12-02 08:58

    In addition to the other reasons (especially performance related) you can only host a single domain per IP address* when using HTTPS.

    A single server can support multiple domains in HTTP because the Server HTTP header lets the server know which domain to respond with.

    With HTTPS, the server must offer its certificate to the client during the initial TLS handshake (which is before HTTP starts). This means that the Server header hasn't been sent yet so there is no way for the server to know which domain is being requested and which certificate (www.foo.com, or www.bar.com) to respond with.

    *Footnote: Technically, you can host multiple domains if you host them on different ports, but that is generally not an option. You can also host multiple domains if your SSL certificate is has a wild-card. For example, you could host both foo.example.com and bar.example.com with the certificate * .example.com

    0 讨论(0)
 看不清?
提交回复
热议问题