hey so, i am relatively new to web servers (and their security), so i figured id get a working https connection (my browsers shows 128bit encryption) that apparently encrypts all data passed through it (also i have ssl certificate applied to my domain and ip address, and the browser shows no errors (i see the golden padlock))
hooray..! it looks real great n dandy n all, but is there any drawbacks to using this?
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
this code in .htaccess forces the server to apply it to the directory,
IF i were to set it to my root directory (thus applying https my entire site) would i run into problems? or is it best to just use when the function calls for security???
personally i enjoy the look of having the padlock (and in most browsers, the altered address bar color) so i would rather have https active all the time
lastly; maybe someone could answer these related questions:
- does my data pass through the company i got my ssl in transit? (i am NOT using a temporary key)
- will this cause data flow to be slower?
- IS HTTPS / SSL actually secure, or do i need another layer, in other words - would https suffice?
any advice would be most helpful :)
regards
HTTPS - Always active?
Moderator: General Moderators
Re: HTTPS - Always active?
SSL does protect from MITM attacks, you can expect performance drop (I can't give you numbers, test it on your server)
- swhistlesoft
- Forum Newbie
- Posts: 9
- Joined: Fri Aug 14, 2009 10:53 pm
- Location: Ontario
Re: HTTPS - Always active?
You will definitely have a performance drop because by encrypting all the data at 128bit you are actually increasing the size and amount of data. There is a reason why most sites only use https for secure and sensitive data transfer.
Nothing is 100% secure, however, because you are using 128bit encryption (and you could possible use 256bit encryption) it would take a lot of processing power and time to break the encryption. Unless you are securing where Jimmy Hofa is burried, or the blue prints to the death star, I highly doubt any body with the knowledge and means will make the required attempts to break the encryption.
Personally, I would only use your https for secure portions of your site.
Nothing is 100% secure, however, because you are using 128bit encryption (and you could possible use 256bit encryption) it would take a lot of processing power and time to break the encryption. Unless you are securing where Jimmy Hofa is burried, or the blue prints to the death star, I highly doubt any body with the knowledge and means will make the required attempts to break the encryption.
Personally, I would only use your https for secure portions of your site.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: HTTPS - Always active?
Security is not just having SSL enabled on your server. Security is a vast and ever growing subject. SSL prevents Man-In-The-Middle and eavesdropping attacks. That is its job and it does it well. Security, unfortunately, is not that simple and consists of hundreds of areas.
Having SSL enabled for your entire site does make things slower. For that matter, some sites do not encrypt all transmissions. There are potential problems to this scenario of not encrypting everything. For example, if there's a
in your HTML source and the transmission is not encrypted, then it's easy to achieve XSS attacks being a MITM. Elements such as Script, Embed, (I)Frame, Object, Applet and probably some other, too, are dangerous without SSL. The Img element does not need to be SSL enabled (at least nothing can happen with mainstream browsers - not sure about IE 6 & 7). If you don't encrypt everything, then you must be careful and think about what you are doing. The safest and easiest option is to encrypt everything, but your performance will suffer. You could start by encrypting everything except .jpg, .png and .gif. That should get you started.
Having SSL enabled for your entire site does make things slower. For that matter, some sites do not encrypt all transmissions. There are potential problems to this scenario of not encrypting everything. For example, if there's a
Code: Select all
<script src="someScript.js"></script>Re: HTTPS - Always active?
but with not encryptinh everything you would get warning messages that some of the content is not encrypted, not good for users =)