Reputation: 4896
Are there any advantages to using HTTP over HTTPS?
I am managing a web application that dynamically flips between http and https depending on the page. I want to get rid a ton of extra code used to flip between http and https but I want to understand any implications before I continue.
Is there any advantage to serving part of a site using http over https?
Upvotes: 9
Views: 10151
Answers (4)
Reputation: 1
One of the differences between HTTP and HTTPS is that with HTTPS, you loose the ability to have intermediaries (caches, proxies, etc) between the client and server do anything useful with requests and responses because the content is encrypted. From a security point of view, this is a good thing because it prevents intermediaries from snooping or tampering with traffic. On the other hand, you reduce the opportunities for dealing with things like scalability, performance and evolvability.
Upvotes: 0
Reputation: 54074
Using http is faster than https obviously since you do not have the ssl handshake overhead during connection establishment or the extra encryption/decryption delay.
If you only need parts of your web site to be secure e.g. just encrypt the login credentials, then it makes sense to have the code for the redirection so that the interaction after that is faster due to plain-text http.
If there are many areas of your site that need to be secure, then you could make measurements using https completely and see if the performance is significantly affected.
If you see no significant performance issues (or the performance is acceptable), then you could simplify your software design and remove the redirection logic between http<->https and use https everywhere.
Upvotes: 3
Reputation: 477020
HTTP is not a secure protocol and anyone can intercept the transmitted data in cleartext (e.g. session cookies, passwords, credit card numbers, sexual fetishes). If you can, you should provide consistent HTTPS service throughout.
That said, by the design of the public/private key security, you can only use HTTPS on a server where you have complete and sole control over the IP address, since the client first looks up the IP address, then requests the secure protocol, and only then makes the HTTP query. That means that you cannot deploy HTTPS on virtual hosts (shared hosting).
(Since you already have a partial HTTPS solution, I imagine that's not a problem for you, though.)
The other downside is that the secure handshake and later encryption require computing resources, so that if you have bazillions of connections, you may feel quite a hit on your server performance. That's for you to consider, though.
Short form: If you have a dedicated IP address and enough computing resources, always and exclusively use HTTPS.
Upvotes: 3
Reputation: 2027
Of course there is some performance drop when using https, but it is not significant unless you have an extremely busy server. See
Upvotes: 7
Related Questions
- HTTP vs HTTPS performance
- Is there a reason to use HTTP vs HTTPS for a simple site with no inputs?
- Converting http to https; is it a must in order to be secured?
- Is there any difference between SSL HTTP and HTTPS?
- What's the advantage of protocol-less urls over https by default?
- Why should we use HTTPS?
- Difference between http and https technique
- Why HTTP is far more used than HTTPS?
- HTTPS instead of HTTP?
- What is the overhead of using HTTPS compared to HTTP?