What are the pros and cons of a 100% HTTPS site?

Question

First, let me admit that what I know about HTTPS is pretty rudimentary. I don\'t know much about session security, encryption, or how either of those things is supposed to b

Answer 1

You've been misinformed. The css, js, and image files need not be duplicated assuming you've set up the http and https mapping to point to the same physical website on the server. The only important thing is that these files are referenced with https when the page you're looking at is also under https. This will prevent the dreaded security message that says that some objects on the page are not secured.

For every other page where you're running the site under http (unsecured) you can reference those same files in the same locations, but with an http address.

To answer your other question, there would indeed be a performance penalty to put the entire site under https. The server has to work hard to encrypt everything it sends over the wire. And then some not-so-old browsers won't cache https content to disk by default, which of course will result in an even heavier load on the server.

Because I like my sites to be as responsive as possible, I'm always selective about which sections of a site I choose to be SSL-encrypted. In most typical e-commerce sites, the only pages that need SSL encryption are the login, registration, and checkout pages.

Answer 2

You can serve the same content via HTTPS as you do via HTTP (just point it to the same document root).

Cons that may be major or minor, depending:

1. serving content over HTTPS is slower than serving it via HTTP.
2. certificates signed by well-known authorities can be expensive
3. if you don't have a certificate signed by a trusted authority (eg, you sign it yourself), visitors will get a warning

Those are pretty basic, but just a few things to note. Also, personally, I feel much better seeing that the entire site is HTTPS if it's anything related to financial stuff, obviously, but as far as general browsing, no, I don't care.

Answer 3

The traditional reason for not having the entire site behind SSL is processing time. It does take more work for both the client and the server to use SSL. However, this overhead is fairly small compared to modern processors.

If you are running a very large site, you may need to scale slightly faster if you are encrypting everything.

You also need to buy a certificate, or use a self signed one which may not be trusted by your users.

You also need a dedicated IP address. If you are on a shared hosting system, you need to have an IP that you can dedicate to only having SSL on your site.

But if you can afford a certificate and private ip and don't mind needed a slightly faster server, using SSL on your entire site is a great idea.

With the number of attacks that SSL mitigates, I would say do it.

Answer 4

One of the concerns is that https traffic could be blocked, for example on Apple computers if you set parental control on it blocks https traffic because it can't read the encrypted content, you can read here:

http://support.apple.com/kb/ht2900

https note: For websites that use SSL encryption (the URL will usually begin with https), the Internet content filter is unable to examine the encrypted content of the page. For this reason, encrypted websites must be explicitly allowed using the Always Allow list. Encrypted websites that are not on the Always Allow list will be blocked by the automatic Internet content filter.

Answer 5

An important "pro" for more https at your site is the following:

a user connecting thru an unencrypted WiFi, like at an airport, can give their password in https, but if the site then switches back to http after the password page, the session cookie becomes exposed and can be immediately used by an eavesdropper.

See this article http://steve.grc.com/2010/10/28/why-firesheeps-time-has-come/#comment-2666

Answer 6

You do not need multiple copies of these files for them to work with HTTPs. You may need to have 2 copies of these files if the hosting setup has been configured in such that you have a separate https directory. So to answer your question - no duplicate files are not required for HTTPs but depending on the web hosting configuration - they may be.

In regards to the pros and cons of https vs http there are already a few posts addressing that. HTTP vs HTTPS performance HTTPS vs HTTP speed comparison

HTTPs only encrypts the data between the client computer and the server. It does not software holes or issues such as remote javascript includes. HTTPs doesn't make your application better - it only helps secure the data between the user and your app. You need to make sure your app has no security holes, practice filtering all data, SQL, and review security logs frequently.

However if you're only responsible for the frontend part of the site I wouldn't worry about it but would bring up concerns of security with the main developer for the backend.