Home / server / Questions / 108345
Accepted
zero_r
Asked: 2010-02-02 07:31:10 +0800 CST

Recommendation: Company website forced to https?

  • 772

My company wants their "informational" website to be rewritten from HTTP to HTTPS. Technically this is not a big deal for me. But i have doubts if this is state-of-the-art since the only reason they want this, is to encrypt contact and sign up forms. (I could enable HTTPS for site with forms, however, they don't like that approach.)

What are the disadvantages and downturns of having an HTTPS only company website? What is your experience and recommendation?

Webapplications are running on another URL and are encrypted.

Regards

website rewrite https

9 Answers

  1. If the website is accessible from anyone anyway there is no real point in HTTPS besides enabling it for the forms, since anyone can read the page anyway. On the other hand the impact HTTPS has on the Server is really low, especially if you are running some dynamic page anyway which is going to make the impact HTTPS has really unnoticeable. My recommendation would be just turning it on in the Web server, because there is nothing to rewrite really, if you ever get to a Situation where your server is going to need this little performance which is taken away by HTTPS you could turn it off, but you probably won't solve your performance issues doing it if there are any.

    So in short just keep yourself from the hassle fighting about something like this and just turn it on ;)

    • 5
  2. Best Answer

    We run a few of our websites on HTTPS only, at request of company administrators who wanted to give out a "We take your privacy really really seriously" message, and apart from the need for a dedicated IP address for each site, we've never noticed any drain on our servers.

    These are all low-traffic sites, maybe 1000-5000 hits a day, mostly from return visitors.

    With HTTPS, you may also loose:

    • Client-side caching (Caching HTTPS is usually considered a no-no, but if you explicitly specify an expires header some browsers will still cache it)
    • Fast load times for dialup/high latency users (the HTTPS handshake is negligable for broadband, but quite noticable for dialup or people in Thailand)

    If these things don't worry you (they didn't to our users or companies) then I say go for it - no point in arguing!

    • 4

  3. HTTPS is slightly slower and slightly more processor intensive.

    HTTP can be read by any schmuck with a packet sniffer.

    • 2

  4. Advantages to using SSL:

    • Sensitive information is not sent in the clear

    Disadvantages to using SSL:

    • Certificates and processes for renewal costs time and money.
    • If you mess up the certificate, you are going to look silly in a very public way.
    • CPU usage increases, making your website load slower. Measure the difference.
    • Browsers don't cache objects fetched over https, so your bandwidth use will increase and visitors will experience your site as being slower, because each object is fetched over the network. Estimate increased bandwidth usage based on current traffic usage.

    Don't use mod_rewrite for this. Use http 301 or 302 redirects.

    • 2

  5. You will need to remember to buy and renew SSL certificates from a globally recognized root certificate provider. If you forget to renew, there goes your whole site with an error message.

    • 1

  6. Encrypting only form submission protects against casual snooping, but a man in the middle would simply rewrite form submission to go to a plain http url. If the forms are important, the form submission page should be https as well and the form users should be given a short https url to type and bookmark. If your entire site redirects to https pages, you'll get indexed in https and users won't have to rely on typing anymore.

    It's a question of what threat model you want to defend against, at the cost of certificates and a bit of cpu.

    • 1

  7. I find it interesting that just about every site I visit uses HTTPS where security is required and HTTP elsewhere. I expect that is because of the overheads imposed by HTTPS, as others have already mentioned.

    • 1

  8. See my answer on a question. While that original question was regarding JBoss and AJP the answer included a mod_rewrite ruleset that redirects non-HTTPS traffic to HTTPS.

    • 0

  9. HTTPS will slow your web site down, but not for the reasons that others have suggested. It will not "suck your CPU", rather it just increases latency by adding SSL handshakes to the TCP handshakes for each connection. This can cause performance to drop a great deal in situations where many connections are required to load the page (e.g. lots of images etc) especially if you've got HTTP keepalives off.

    Having the entire site on HTTPS certainly makes development easier - the whole site on HTTPS means your devs don't need to worry about which bits need to be HTTP and HTTPS, and which pages need to switch from one to another, and composing absolute links to those etc.

    Previously I've worked on e-commerce sites which used a mixture and it gets pretty hairy trying to switch from secure / non-secure at the appropriate pages, particularly if your site layout and navigation is complicated and reused from one page to another (which it usually is in most sites)

    See paypal.com for an example of someone who chose to just put their entire site HTTPS. But I notice that banks rarely do it.

    • 0