简体繁体 English

HTTPS而不是HTTP？

[英]HTTPS instead of HTTP?

原文 2010-11-01 16:06:57 6 5 http/ web-applications/ https

I'm new to web security. 我是网络安全的新手。

Why would I want to use HTTP and then switch to HTTPS for some connections? 为什么我要使用HTTP然后切换到HTTPS进行某些连接？

Why not stick with HTTPS all the way? 为什么不一直坚持使用HTTPS？

5 个解决方案

There are interesting configuration improvements that can make SSL/TLS less expensive, as described in this document (apparently based on work from a team from Google : Adam Langley, Nagendra Modadugu and Wan-Teh Chang): http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html 有一些有趣的配置改进可以使SSL / TLS更便宜，如本文档所述（显然是基于Google团队的工作：Adam Langley，Nagendra Modadugu和Wan-Teh Chang）： http：//www.imperialviolet。组织/ 2010/06/25 /超频，ssl.html

If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. 如果我们想要向世界传达一点，那就是SSL / TLS不再具有计算成本。 Ten years ago it might have been true, but it's just not the case any more. 十年前它可能是真的，但事实并非如此。 You too can afford to enable HTTPS for your users. 您也可以为用户启用HTTPS。

In January this year (2010), Gmail switched to using HTTPS for everything by default. 今年1月（2010年），Gmail默认使用HTTPS切换所有内容。 Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. 以前它已作为选项推出，但现在我们所有用户都使用HTTPS来保护他们的浏览器和Google之间的电子邮件。 In order to do this we had to deploy no additional machines and no special hardware. 为了做到这一点，我们不得不部署额外的机器和没有特殊的硬件。 On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. 在我们的生产前端机器上，SSL / TLS占CPU负载的不到1％，每个连接少于10KB的内存，不到2％的网络开销。 Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that. 许多人认为SSL占用了大量的CPU时间，我们希望上述数字（首次公开）将有助于消除这一点。

If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more. 如果你现在停止阅读，你只需要记住一件事：SSL / TLS不再具有计算成本。

One false sense of security when using HTTPS only for login pages is that you leave the door open to session hijacking (admittedly, it's better than sending the username/password in clear anyway); 将HTTPS仅用于登录页面时，一种错误的安全感就是你对会话劫持敞开了大门（诚然，它最好还是以明文方式发送用户名/密码）; this has recently made easier to do (or more popular) using Firesheep for example (although the problem itself has been there for much longer). 例如，最近使用Firesheep更容易做（或更受欢迎）（虽然问题本身已存在更长时间）。

Another problem that can slow down HTTPS is the fact that some browsers might not cache the content they retrieve over HTTPS, so they would have to download them again (eg background images for the sites you visit frequently). 可能会降低HTTPS速度的另一个问题是某些浏览器可能无法缓存通过HTTPS检索的内容，因此他们必须再次下载它们（例如，您经常访问的网站的背景图片）。

This being said, if you don't need the transport security (preventing attackers for seeing or altering the data that's exchanged, either way), plain HTTP is fine. 话虽如此，如果您不需要传输安全性（防止攻击者查看或更改交换的数据，无论哪种方式），普通的HTTP都可以。

Mostly performance reasons. 主要是表现原因。 SSL requires extra (server) CPU time. SSL需要额外的（服务器）CPU时间。

Edit: However, this overhead is becoming less of a problem these days, some big sites already switched to HTTPS-per-default (eg GMail - see Bruno's answer). 编辑：然而，这些开销现在变得不那么成问题，一些大型网站已经切换到默认的HTTPS（例如GMail - 请参阅Bruno的回答）。

If you're not transmitting data that needs to be secure, the overhead of HTTPS isn't necessary. 如果您不传输需要安全的数据，则不需要HTTPS的开销。

Check this SO thread for a very detailed discussion of the differences. 检查此SO线程以获得有关差异的非常详细的讨论。 HTTP vs HTTPS performance HTTP与HTTPS性能

And not less important thing. 并非重要的事情。 The firewall, don't forget that usually HTTPS implemented on port 443. In some organization such ports are not configured in firewall or transparent proxies. 防火墙，不要忘记通常在端口443上实现的HTTPS。在某些组织中，此类端口未在防火墙或透明代理中配置。

HTTPS可能非常慢，对于像图像这样的东西也是不必要的。