web Application served over HTTP/HTTPS? [duplicate]

This question already has answers here: Closed 11 years ago.

Possible Duplicate:

Why not use HTTPS for everything?

I know the basic differences between HTTP and HTTPS that is related to secure HTTP communication.

I would like to know that why some of the websites are served on both HTTP and HTTPS? In one of my earlier project, same website was served over port 8443 that is for HTTPS and port 80 that i开发者_StackOverflow社区s for HTTP.

When I login to website I see a URL starting with https://www.my.org.etc

After login, all other pages also appear with https://www...., not a single screen is served over http://www....

Then why do we configure the application to be served over http at all? We can just serve the application over HTTPS only?

---

Mostly for performance reasons, SSL handshaking. I only use https when I absolutely need to. See the following

HTTP vs HTTPS performance

---

Https have a little overhead with regards to http, what can make it slower.

Due to that it use to be common practice for most websites to server most pages from http and only serve those pages that require security over https. For example a payment pages or a personal data page.

Doing this works fine as long as all resources in the https page are serve from an https connection. You may remember seeing in some websites that the browsers alert you that even when the page is secure some elements of the page are not.

A common pitfall is serving css files or images from an http connection.

Today lots of sites opt for serving all the site from behind an https connection is security is a concern disregarding the (very little) overhead of doing so.

---

In our application what we do is we server by default everything on https.

But what if the user typed http://yourapp.yourdomain. In that case it is a bad idea to show him that the url does not exist. So we redirect any http requests to https.

It is so because by default any request will be server over http and that's the browser default if you do not specify a protocol. So if you do not give the redirection from the http request to your https app then you stand a change to loose your audience .

---

HTTPS is important for an information you want encrypted over the wire. Not everything needs to be encrypted over the wire and the additional overhead of the process of encryption and decryption may be overkill for your site.

If you have a page within your site that takes personal information such as credit card numbers, passwords, ssn#'s etc then this information should be encrypted. If you have other pages in your site that is showing images and text ie it is readonly public information then HTTPS would not be necessary.