site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

OS and Software > Webmasters and Developers > Any reason NOT to use HTTPS/SSL at all times?

Search Topic:
 Uniqs:
691		 Share Topic
Posting?
Post a:
Post a:
Links: ·How To Get Noticed ·Web Monks FAQ ·Webhosting FAQ ·Posting Code ·How To Post ·Webhosting forum
AuthorAll Replies


Ben
Premium
join:2007-06-17
Glen Carbon, IL

Any reason NOT to use HTTPS/SSL at all times?

     This is something that occurred to me.  Many web sites, indeed most don't use HTTPS/SSL.  Then the remaining web sites only use HTTPS/SSL in a few circumstances (i.e. a quasi-public customer portal where one could say, view their bank account information or pay a bill on a web site).  Some web sites, such as my bank's site, only use HTTPS/SSL for the entire web site.

     If I understand correctly, establishing an HTTPS connection does require the CPU(s) on the web server to do a little more work to set up the connection, but how much of an impact does that really have?  Perhaps the timeout values (how long the connection remains idle before it's dismantled) could be adjusted a little longer to reduce the number of setups.

     There's also the argument that web servers, as well as PCs in general keep getting more powerful, though this may be mitigated by the fact that VMs are more popular.

     I do have experience setting up and administering web sites, although I've never had to manage one that had a large amount of traffic.  I also offer SSL support for any Internet service I've provided, though perhaps the performance impact is negligible because of the low traffic.  I've even been tempted to simply remove the ability to connect without the use of SSL.

     So I suppose my question is, why isn't the use of HTTPS/SSL more widespread?  Is it the performance impact on larger web sites?  The cost of the SSL certificate?  Something else?
to forum · permalink · 2012-03-25 00:40:30 ·


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7

SSL adds overhead, both in computer resources as well as latency. For most sites it probably wouldn't be noticeable but for very high traffic sites there could be a noticeable impact. There is hardware that can offload the SSL from the server, but it's not practical for smaller sites.

Switching everything to SSL requires an SSL certificate, which specifies the domain name. This can make using a CDN or 3rd party hosted content display a browser warning if you mix secure and unsecured content.

Speaking of doamin names, if your site is structured to be accessable via domainname.com and www.domainname.com, you'd need a cert for both of those or redirect all traffic to a common hostname. But if you have images.domainname.com, some-specific-subsite.domainname.com you'd need one for those too. A wild card cert could be used, but it could get expensive the more secure sites you need.

to forum · permalink · 2012-03-25 08:34:17 ·


Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

reply to Ben
Use of SSL essentially disables the ability to vhost multiple unrelated websites behind the same IP address.

to forum · permalink · 2012-03-25 13:45:19 ·


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7

reply to Ben
Also forgot that content that is sent over https possibly wouldn't be cached either locally or through proxies. Not a deal breaker, but still a disadvantage.

to forum · permalink · 2012-03-25 16:52:42 ·


yaplej
Premium
join:2001-02-10
White City, OR

reply to Ben
And sending all traffic through HTTPS also negates any IDS/IPS that they might have implemented so lots of sites explicitly limit where HTTPS can be used. So an attacker cannot force HTTPS and bypass the IDS/IPS sensors.

to forum · permalink · 2012-03-27 13:22:31 ·


Ben
Premium
join:2007-06-17
Glen Carbon, IL

reply to Ben
     Interesting responses.

     The data not being cached might be an advantage for some web sites, though I could see how that probably wouldn't help most sites.

     I also forgot about the VHost thing, which I've traditionally disliked since it means if there's a DNS problem, then the web site goes down.  But how many web sites are hosted under such an arrangement?

     If I wanted to purchase hosting services, I'd probably look for a low priced VPS plan with at least one 1 IP, for maximum flexibility.  It would probably be unmanaged, but I can handle that.

to forum · permalink · 2012-03-27 19:10:38 ·


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7

said by Ben:

But how many web sites are hosted under such an arrangement?

Millions. I would actually venture a guess that there are more sites that are on a shared host then with a dedicated IP. In theory, with a reverse proxy or load balancer, a hosting provider like GoDaddy could host every shared site with a single IP address.
to forum · permalink · 2012-03-29 08:29:49 ·


JAAulde
Web Developer
Premium,MVM
join:2001-05-09
Williamsport, MD
kudos:3

reply to Ben
Don't forget the SSL Certificate costs money to obtain and maintain.

to forum · permalink · 2012-03-29 08:57:06 ·
Forums > OS and Software > Webmasters and Developers

Sunday, 19-May 15:06:36 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 13.5 years online © 1999-2013 dslreports.com.
Most commented news this week
Hot Topics