Should I host my entire web application using https?
Actually my only requirement for using SSL encryption is that when a user logs in, the password is transferred encrypted. However after reading a bit about protocol switching, that an HTTPS session can't be taken over as an HTTP session etc. I've been asking myself if it's so bad to just have the entire application use HTTPS only.
What are the reasons against it and how would you rate their importance? Please also mention:
- How much performance do I lose on server side (roughly)?
- How much performance do I lose on client side (roughly)?
- Any other problems on server / client side?
Solution 1:
Reasons against: none. Internet is insecure network and must be treated as such.
About performance:
if your performance target is not < 500 ms response in 99% time, SSL is not bottleneck for you.Most time, there are a lot more beneficial performance improvements available than turning of SSL.
Biggest performance clog for HTTPS ir handshake, but you can migate it by:
- turning on keepalive
- enabling TLS session resumption, which ammortizes cost of assimetric cryptography, without session resumption client on every request sends certificate (few kb/s) and server has to do RSA decryption ...
For improving client/server side performance, it is more important to reduce number of requests/responses/compress content .. etc.
If your server and client software is not horribly outdated, there should be no problems with SSL, excluding certificate/trust chain installation on server and renewing certificate ...
Rememeber that 99% percent of web apps are I/O, not CPU bound, so SSL will be just using otherwise idle server CPU cycles.
Solution 2:
You don't state which authentication method you're using. If you're using Basic auth, then bear in mind that the credentials are sent with every request until the browser is closed. anyway, so there's no point switching down.
With any SSL connection, the only performance-heavy aspect is the initial handshaking for the connection. Once the client and server have exchanged keys, the overhead is negligible on both the client and the server, so there's no real harm in continuing the SSL connection, unless you're dealing with a seriously high-volume server. What kind of load are you expecting?
Solution 3:
Agree wih SmallClanger and Kristaps.
I have no numbers concerning the performance impact, but I'd go full SSL (keyword Firesheep). I know that such attacking techniques exist for years, but awareness is incresing right now and the only real solution is full SSL.