Home / server / Questions / 1047145
Accepted
DamiToma
Asked: 2020-12-23 00:16:45 +0800 CST

Is loading images over HTTP a good idea to improve performance?

  • 772

I was reading about HTTP/HTTPS performance and found out HTTPS adds a considerable overhead because of the encryption process. I was wondering, is it a good idea (and is it possible) to load non sensitive content (such as public images, scripts, stylesheets and so on) via HTTP to avoid the additional overhead.
I read about this on the internet but couldn't find much, tried to load an image on an HTTPS website from an HTTP server and found out the requested URL is HTTPS although I used http in the src. So is there a way to do it?
Most importantly, is this secure? Thanks.

performance https

4 Answers

  1. Best Answer

    No, this is a bad idea, as this is not secure. We call that Mixed Content :

    Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection[...]

    Requesting subresources using the insecure HTTP protocol weakens the security of the entire page, as these requests are vulnerable to on-path attacks, where an attacker eavesdrops on a network connection and views or modifies the communication between two parties[...]

    HTTP is not secure. Use HTTPS everywhere.

    • 4

  2. Using HTTP instead of HTTPS exactly means the connection is not secure. One of the problems you'll face is that most browsers will give a warning if a securely-delivered page contains insecure elements.

    The overhead of encryption is reduced by pipelining requests, which is possible with HTTPS but not HTTP, so from the end user's perspective you would typically not expect a large hit on the average web page.

    • 1

  3. No, because mixing HTTP and HTTPS is considered a security risk to the extent that most modern browsers will block HTTP content from being loaded into a page loaded via HTTPS.

    The simple version of the problem is that the browser can't verify that HTTP content hasn't been modified by an attacker while in transit.

    HTTP pipelining should help to alleviate this problem by routing multiple requests down the same connection. This is because the HTTPS overhead is all in the setting up of the connection.

    • 1

  4. Another issue with sideloading say static content over HTTP, while the rest of the connection is HTTPS; is that HSTS (HTTP Strict Transport Security) was designed to explicitly forbid it, as otherwise an attacker might show you a fake version of a site using HTTP and you'll be none the wiser.

    HSTS works by telling the web browser that a specific site uses HTTPS, and only HTTPS, and to cache this result for a specific time (usually 6 months or something). This way, the browser will not accept connections to the same domain using HTTP during this cached time. Additionally, a domain owner might publish their domain to the HSTS preload list included in browsers, which essentially means that the change is permanent. HSTS enabled sites also are forbidden from linking to content over HTTP, so browsers will refuse to fetch non-secure content.

    • 1