1

Big websites for things such as banks (eg www.cimbclicks.com.my) and online shopping (eg www.lazada.com.my) don't seem to care to secure their front page with SSL but their login page is secured with SSL. Is there any technical motivation for not using HTTPS on the front page (such us decreased performance)?

Anders
  • 64,406
  • 24
  • 178
  • 215
MaXi32
  • 137
  • 7
  • 5
    You should contact them and ask? There is no possible way we can explain the reasons a website doesn't use SSL – Ramhound Sep 14 '16 at 03:38
  • I thought that someone could possibly give a professional answer like https perhaps affect the performance of the front page .. etc.. but that's one answer that i got. thanks for the voting down unprofessionally. – MaXi32 Sep 14 '16 at 03:59
  • Ok I got the related question asked here: http://security.stackexchange.com/questions/16246/is-a-company-website-secure-against-sslstrip-if-it-doesnt-use-ssl-on-homepage-b?rq=1 – MaXi32 Sep 14 '16 at 04:07
  • 1
    Both those sites do have HTTPS (e.g. https://www.cimbclicks.com.my/ is valid). It's just that the HTTP site does not redirect to the HTTPS site. When people are just viewing marketing material, not entering personal data, there's no massive need for HTTPS. Still, the trend is to use HTTPS everywhere, banks tend to be slow to follow, but they will eventually. – paj28 Sep 14 '16 at 08:50
  • 1
    There will often be a senior guy that'll say "everything works fine with HTTP, why should we waste time/money into fixing something that's not broken?". – André Borie Sep 14 '16 at 11:06
  • ssl is slower and might not be needed; front pages are often fluff... – dandavis Sep 14 '16 at 17:35
  • @dandavis [slower you said?](https://www.httpvshttps.com/) – André Borie Sep 15 '16 at 17:15
  • @AndréBorie: yes, slower. your link compares http/2 to 1, which is under 10% of setups... However, I would be interested in measuring http2 with and without ssl if you can find something; fewer connections to secure should reduce the perf penalties of http(1)s. From my own experience, http://pagedemos.com/ loads about twice as fast as https://pagedemos.com/ – dandavis Sep 15 '16 at 20:37
  • @dandavis I agree that fewer connections makes page loading faster, but that can be fixed just fine without hindering security by hosting all the dependencies yourself so you reuse the same connection (as well as combining multiple CSS/JS files together). – André Borie Sep 15 '16 at 20:41
  • @AndréBorie: agree 100% that optimizations help, perhaps more than the diff, but all else being equal, it's hard to find cases of https beating http... There is also a per-domain pipeline limit, so CDNs can help draw the page faster than 100% self-hosted assets, especially on sites with many resources. – dandavis Sep 15 '16 at 20:42

3 Answers3

3

This says more about friction in enterprise processes than it does about technology.

For an enterprise to set up their website with https throughout, they have to sort out the certs and configuration up front. That requires a bunch of background management and security processes all of which add friction to the deployment project that is probably already under-funded and under pressure to deliver.

So it is conceptually easier for the project to implement a "standard" website then worry about the security once they have proved that the basic site is sufficiently robust and performant.

HTTPS does make some things more complex to manage and thinking about end-to-end caching strategies are a bit harder to manage.

None of these things are excuses really but that is my take, from experience, on the enterprise process.

It is changing and if you change the link to https you will find that it has actually been implemented so that might only be how the URL has been written and communicated - often by non-experts. http should be disabled of course.

Services such as the excellent Cloudflare are also helping since everyone can now present their site over https even without getting your own certificate (though you obviously still need at least a self-signed cert to help secure the traffic between your server and Cloudflare).

Julian Knight
  • 7,092
  • 17
  • 23
1

This is you thinking with your "nerd" brain and ignoring the ten different things which come into play when you talk about "security".

These are attitudes of the people running the site, their skill sets, their production/business working schedules about getting the site offline to do such work etc.

As for the techie aspects, yes you are absolutely correct that all sites must use https all the time and since you mention "big sites", there's netflix and others who are following that rule.

The SSL causing overhead arguments are no longer true and so is the meme that "only logins should be SSL". Read this post for more.

allwynmasc
  • 170
  • 1
  • 8
1

If the asset has any value which would be compromised by being exposed then there is no good reason for mixing SSL and non-SSL traffic. Arguably even if it has little intrinsic value, while people tend to re-use passwords, the operator has a duty of care to protect the password for its potential value elsewhere.

Since it's not unreasonable to expect that people will transition from the non-ssl to ssl part, there is a potential for an SSL stripping attack (not all browsers implement HSTS and certificate pinning, not all websites implement HSTS and pinning).

Yes there is a performance overhead (if I don't qualify that, then some bright spark will come along and say CPUs and cypher alogrithms are much faster - but the overhead is in the extra RTTs for negotiation). But the performance impact can be mitigated at a cost comparable to that of hosting and provisioning a certificate.

symcbean
  • 18,278
  • 39
  • 73