New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Poll: HTTPS for whole site or just login-cart pages?
I'm used to putting a Let's Encrypt certificate on my sites and forgetting about it but now in a previous discussion, I was told that you don't need to encrypt the whole site but just the pages that need it like login, cart, etc...
Now I'm curious to know what the community thinks about it so answer the poll and let's set this debate.
HTTPS for whole site or just login-cart pages?
- What pages do you encrypt with SSL certificate?167 votes
- Whole site96.41%
- Just login, cart, checkout3.59%
Comments
Do you get your recommendation from year 2017?
HTTPS everywhere.
I think there are almost no reason to not use SSL anymore...
My advice is to no longer trust teh person that told you that.
the browser litterslly flags your website as dangerous without ssl
You should make it available on all pages.
However, a few people criticized the step to force people to https.
I don't know what the exact reason was but I believe its technical related, due to your https settings you may drop specific clients.
If you ask here, everyone wants whole-site SSL
You should go ask those outsourced IT staff of a tiny traditional company whose website is no more than a few static ad pages.
Google no longer indexes sites that aren't https compliant.
SSL Strip?
For some uses (broad dissemination of public/mission-critical data e.g. weather forecast alerts), tls/https is pointless or even dangerous (it prevents connecting completely under poor/slow network coverage).
Is this topic a troll or?
I read so many crap that i wonder how some people offer any services at all.
Is it really a good decision to host sites on your own?
The whole https everywhere debacle is long gone.
]
Personally, whole site SSL is a f'kin unnecessary overhead and ludicrous for just presenting information, rather than processing data/transactions.
It was forced upon us by Google; period.
I ran various e-commerce sites for a decade, or so, with only https at necessary pages. No problemski.
It's just a part of the dumbing down for the general populous - green padlock everywhere, only so you don't need to look for secure pages in appropriate places.
[Must make sure that pushups/pet pics/trout pouts don't suffer MITM attacks!
Even these sites should have tls enabled in order to prevent malicious routes from planting ads or Trojan links in their pages.
If these sites want to work with weak networks, consider automatically switching to a clean version or adding a json interface.
Lets turn it around and ask why you should not use ssl everywhere.
You mention overhead, which in most cases must be more or less totally negligible. Any other practical reason you can think of?
I too has been running e-commerce sites for over a decade, but I run it with ssl everywhere. No problemski.
My last sentence is a prime example. Also, I have a small static website that just gives information on running linux on a wee Toshiba - no need for SSL there.
When considering overheads, don't think in terms of single homed server traffic, think thousands/millions. Admittedly, nobody gives a crap about network quantity these days, just like disc space. Now where's my Raspi Pi?
Note: all sites that I run now have the enforced https.
I object to being forced into doing something, just for the hell of it.
Push-ups are delivered over Named Data Networking.
NDN has its own signature verification scheme, which does not depend on having HTTPS.
However, the JavaScript program that performs such validation must be delivered over HTTPS.
If the program is delivered over HTTP instead, it could be modified by attackers, and the later validation results would not be trustworthy.
https://istlsfastyet.com/
Not just Google, but the whole web standards committee - led by Google.
Well, you dont need a color display or more then a dialup connection either, but it sure is nice to have. If progress was only dictated on what we need, society would look a lot different.
If you want to run whatever simple website without ssl that is your choice, and I am sure you are competent enough to decide what needs ssl and what does not and the burden of dual configuration and management falls on you, but you should never advice anyone else to run without ssl!
Quick look at grafana tells me the webserver farm in one of the dc's is pushing close to 1.5GBit/s right now, and I would guess that 99.5% of that is ssl. Still, the overhead is not an issue that we even take into consideration.
When you get to a level where ssl overhead theoretically could become a problem, you are already on a level where it is no longer a problem. Sites of that size already have the capacity to deal with it.
If you do not understand why ssl is a good thing, it is probably easier to just force you into doing it than trying to explain it to you.
Interesting.
Sufficient to give the b'stards the blame.
(Gotta remember that I'm an old skool fart, that needed to optimise network traffic, back in the dark days of the '80s/'90s.
)
I agree with the general sentiment of this thread.
But what are the acceptable uses for HTTP in 2021?
(1) localhost-only services which are proxied over HTTPS. e.g., your golang app is on localhost:5000 and you're serving it to the web via nginx on port 443 (ssl).
(2) Small embedded solutions that only talk on LANs, as there's no reasonable way to keep a cert updated. E.g., the management interface for your printer where you have to connect to its wireless network.
This.
LAN-only service is tricky.
I hear that in Philippines, Internet access exists but is very slow, and people want to access information hosted locally in the wireless access point of cafe shops.
Such wireless access points and servers do not have Internet connection, so that they cannot obtain a browser-trusted TLS certificate.
Now you have two bad choices:
HTTP would allow any user on the wireless network to MITM, or even eavesdrop if the WiFi is not WPA2.
Many web APIs are unusable, such as Web Crypto.
HTTPS with a self-signed certificate would allow MITM during first connection, but there's big scary warning.
All the web APIs would be available.
I agree with this, I implement case 1 regularly.
LAN only connections could be encrypted using a cert from your own CA. If it's local LAN, it is not unreasonable to expect active directory or similar that facilitates running your own CA and rolling out certificates to clients. Agreed, it might be a bit overkill if it's just a printer, but it's doable.
Heresy!!!
No surprise there. Almost 100% of the community thinks exactly what has been preached to them.
The really funny - and tricky - part is to program the masses -and, at the same time- make them believe that they all are individual and their convictions are individual and their "thinking" is totally free.
And of course, totally super-honestly, pink fairy promise, thanks to httpS NSA and Google can't see which sites you visit.
Next week: cookies are good for you and for privacy.
((Mutters to one's self .. must follow Google taxonomy.. ))
No ssl and I leave site.
But that's a strawman. If I open an SSL connection to https://www.amazon.com then the amazon.com part of that is visible and no one is saying it isn't.
But I would rather type my password to Amazon over https than http. I don't think that's pink fairy.
Could the average joe, intercepting all my traffic, read that password? No.
Could the NSA? We really don't know. If you want to think that, I'm not going to argue about it since it's essentially a guess, but simply protecting my traffic from people with less-than-NSA resources (which is most threats) is highly valuable.
https is not perfect but it's better than nothing...no? Are you really arguing that people shouldn't use https?
No. I'm not arguing at all, those times have passed. I'm laughing.
As for the rest ...
It started with "Use SSL and be safe and secure, period" and Joe Anybody accepted it and memorized "I'll use SSL and be safe and secure, period".
And then came a long series of, let's be nice and call it, 'hiccups' plus the occasional vulnerability, reaching a temporary peak with Heartbleed.
Plus there were other problems like implementation and configuration errors, large corporations whose left arm evangelized SSL and later TLS and whose right arm found ever new ways to track billions of users, to dictate what users can see, hear, read and later what they can say, etc.
I had a look at the source code quite early - and was shocked. And whenever I'd talk about it I was basically called a heretic and ridiculed and/or attacked.
Arguing? Here? Thanks, but thanks no. So, incantate with me "SSL/TLS is great and so is httpS" and it's computationally virtually free, and everybody who isn't using httpS for his doggy or car pics is a heretic.
(P.S. as I like you: replace 'Amazon' by 'Azure' and think again ...
"we do not yet know about a festering boil" != "there is no festering boil").
No TLS1.2 and I open PMS thread.
I see a green padlock: I must be safe.
/sarcasm