Making all my methods require https a good idea?

Question

I am using asp.net web api and I am using basic auth to authorize my users. I require HTTPS on all the calls that require authorization, but for all the calls that I do not require authorization (i.e. register) should i just do them in https as well for consistency ? Is there anything like performance gains etc. that could result if I dont use https for these calls.

Answer 1

Based on your tags I'm going to assume that there is probably some AJAX going on here. If that is indeed the case you are going to be MUCH better off sticking to a single access scheme. Doing otherwise will introduce cross-browser compatibility issues and potentially introduce security vulnerabilities.

Unless you are doing something like transferring large media files/streams the modest performance gains are probably not even worth considering.

Note: that potential vulnerabilities extend beyond the obvious case where you send sensitive data over an insecure connection. see https://developer.mozilla.org/en-US/docs/Security/MixedContent for example.

Answer 2

Http gives more performance as the encryption in https increases the size of request and response and extra processing is required for encryption and decryption. Today machines are very fast to handler the https over head without any noteable performance degradation. The security is more important then little performance gain, if you have to pass user name / pass in registration then it can be a breach to security.

Answer 3

The overhead for HTTPS these days is trivial for most systems (see How much overhead does SSL impose?). I'm a fan of HTTPS all over the place, since it's more secure end to end and costs almost nothing to implement, but your mileage may vary. If you're that concerned about the performance impact it may have, implement it and then profile your app and see what the difference is