HTTPS - Always active?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
xtk
Forum Newbie
Posts: 10
Joined: Sat Aug 01, 2009 4:28 pm

HTTPS - Always active?

Post by xtk »

hey so, i am relatively new to web servers (and their security), so i figured id get a working https connection (my browsers shows 128bit encryption) that apparently encrypts all data passed through it (also i have ssl certificate applied to my domain and ip address, and the browser shows no errors (i see the golden padlock))

hooray..! it looks real great n dandy n all, but is there any drawbacks to using this?

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

this code in .htaccess forces the server to apply it to the directory,

IF i were to set it to my root directory (thus applying https my entire site) would i run into problems? or is it best to just use when the function calls for security???

personally i enjoy the look of having the padlock (and in most browsers, the altered address bar color) so i would rather have https active all the time

lastly; maybe someone could answer these related questions:

- does my data pass through the company i got my ssl in transit? (i am NOT using a temporary key)

- will this cause data flow to be slower?

- IS HTTPS / SSL actually secure, or do i need another layer, in other words - would https suffice?

any advice would be most helpful :)

regards
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: HTTPS - Always active?

Post by arjan.top »

SSL does protect from MITM attacks, you can expect performance drop (I can't give you numbers, test it on your server)
User avatar
swhistlesoft
Forum Newbie
Posts: 9
Joined: Fri Aug 14, 2009 10:53 pm
Location: Ontario

Re: HTTPS - Always active?

Post by swhistlesoft »

You will definitely have a performance drop because by encrypting all the data at 128bit you are actually increasing the size and amount of data. There is a reason why most sites only use https for secure and sensitive data transfer.

Nothing is 100% secure, however, because you are using 128bit encryption (and you could possible use 256bit encryption) it would take a lot of processing power and time to break the encryption. Unless you are securing where Jimmy Hofa is burried, or the blue prints to the death star, I highly doubt any body with the knowledge and means will make the required attempts to break the encryption. :D

Personally, I would only use your https for secure portions of your site.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: HTTPS - Always active?

Post by kaisellgren »

Security is not just having SSL enabled on your server. Security is a vast and ever growing subject. SSL prevents Man-In-The-Middle and eavesdropping attacks. That is its job and it does it well. Security, unfortunately, is not that simple and consists of hundreds of areas.

Having SSL enabled for your entire site does make things slower. For that matter, some sites do not encrypt all transmissions. There are potential problems to this scenario of not encrypting everything. For example, if there's a

Code: Select all

<script src="someScript.js"></script>
in your HTML source and the transmission is not encrypted, then it's easy to achieve XSS attacks being a MITM. Elements such as Script, Embed, (I)Frame, Object, Applet and probably some other, too, are dangerous without SSL. The Img element does not need to be SSL enabled (at least nothing can happen with mainstream browsers - not sure about IE 6 & 7). If you don't encrypt everything, then you must be careful and think about what you are doing. The safest and easiest option is to encrypt everything, but your performance will suffer. You could start by encrypting everything except .jpg, .png and .gif. That should get you started.
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: HTTPS - Always active?

Post by arjan.top »

but with not encryptinh everything you would get warning messages that some of the content is not encrypted, not good for users =)
Post Reply