Why is the https used only for connection?

advertisements

Is performance the only issue? Can't an https connection be used throughout a user's session? There is obviously less redirection happening!

I found this related question on http vs. https performance

Edit: Ok, I didn't mean 'used only for login'. Rather, what I'm trying to ask is if you come to a point where you need https anywhere on your site whether it be login or payments, why not make all communication to the site over http?

As an example, assume a blog site. Now, the blog posts might get created by sending an email. Further down the line, I might provide a 'login' and then an 'add post' action. In this scenario usually the https is used only for the login and then again regular http for actually adding the post. Since, now the need is to provide an 'admin' mode, so to speak, why not have all communication over https while a person is in the 'admin' mode, i.e. logged in.


Performance is not the only issue. If you're going to use HTTPS, you really need to check that all your content, including third party images and libraries, is available through HTTPS. Otherwise, you will generate annoying mixed content messages on IE:

http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/

This also means that you'll need separate SSL certificates for each host name that you use (e.g. images.example.com ) or some sort of wild card SSL certificate (e.g. for *.example.com).

A carefully configured site should only suffer a slight CPU hit on client and server using HTTPS:

http://blog.httpwatch.com/2009/01/15/https-performance-tuning/