Databases
StackOverflow2013
Postsdbo
POWhat are the pros and cons of a 100% HTTPS site?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POWhat are the pros and cons of a 100% HTTPS site?
    primarykey
    data
    text
    <p>First, let me admit that what I know about HTTPS is pretty rudimentary. I don't know much about session security, encryption, or how either of those things is supposed to be done.</p> <p>What I do know is that web security is important; that horror stories of XSS, CSRF, and database injections pop up over and over again. I know that a preventative stance against such exploits is better than a reactive one.</p> <p>But the motivation for this question comes from a different point of view. I work at a site that regularly accepts payment from users. Obviously, the payments are sent over a secure channel (HTTPS). I mainly work on the CSS, HTML, and JavaScript of the site. What I've been told is that it is necessary to duplicate CSS, JavaScript, and image files before they can be called over HTTPS. So assume I have the following files:</p> <ul> <li>css/global.css</li> <li>js/global.js</li> <li>images/ <ul> <li>logo.png</li> <li>bg.png</li> </ul></li> </ul> <p>The way I understand it, these files need to be duplicated before they can be "added" to the HTTPS. So a file can either be under security (HTTPS) or not.</p> <p>If this is true, then this is a major hindrance. In even the smallest site, it would be a major pain to duplicate files and then have to maintain them every time you make a CSS or JS change. Obviously this could be alleviated by moving <em>everything</em> into the HTTPS.</p> <p>So what I want to know is, <strong>what are the pros and cons of a site that is completely behind HTTPS?</strong> Does it cause noticeable overhead? Is it just foolish to place the entire site under encryption? Would users feel safer seeing the "secure" notifications in their browser during their entire visit? And last but not least, does it truly <a href="https://stackoverflow.com/questions/4017344/is-https-the-only-defense-against-session-hijacking-in-an-open-network">make for a more secure site</a>? What can HTTPS <em>not</em> protect against?</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USJosh Leitzel
    plurals
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    3. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTDuplicate
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POWhat are the pros and cons of a 100% HTTPS site?
      1. USBruno
      1. VTFavorite
    2. VO
      singulars
      1. POWhat are the pros and cons of a 100% HTTPS site?
      1. USRobert Harvey
      1. VTFavorite
    3. VO
      singulars
      1. POWhat are the pros and cons of a 100% HTTPS site?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI don't know what platform you're using, but in the IIS world it's common to map the *same* site to both 80 *and* 443. This means no literal duplication. Then within code you can enforce that certain pages are only accessible through HTTPS.
      singulars
      1. POWhat are the pros and cons of a 100% HTTPS site?
      1. USKirk Woll
    2. COIt should be noted that using SSL (or ["TLS"](http://en.wikipedia.org/wiki/Transport_Layer_Security) as it's called nowadays) will not prevent against XSS, CSRF, or database injection vulnerabilities
      singulars
      1. POWhat are the pros and cons of a 100% HTTPS site?
      1. USBlueRaja - Danny Pflughoeft
    3. COA recent, relevant blog entry from a respected (at least by me) guy in the security community: http://steve.grc.com/2010/10/28/why-firesheeps-time-has-come/
      singulars
      1. POWhat are the pros and cons of a 100% HTTPS site?
      1. USFantius
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload