Solved

How secure is http to https - versus http

Posted on 2011-03-03
6
275 Views
Last Modified: 2012-06-27
Hi,

I am currently working on a website that needs to have some type of login to allow visitors to posts data. First i assumed that i should use https for this site, however the more i learn to more it seems useless to use https.

For example in google to login you go through a https webpage. However when you enter the search part of google -> http://www.google.com my computer sends a stored cookie in plain text which is used by google to give me the possiblilties to goto my account setting (btw experts-exchange.com and many other sites do the same) Couldn't this cookie be just as easily seen/hacked as if the login was done in plain http.

Since our website is not using any form of payment or stores any highly confidential information i was wondering if there is any reason to use https.
0
Comment
Question by:Nebukad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 4

Expert Comment

by:MarioAlcaide
ID: 35025570
If you use https you will ensure that your data will be safe. If you don't need that much security, then don't use it, you will just make your system more difficult to implement and mantain.

That's my tip, regards.
0
 
LVL 10

Accepted Solution

by:
abbright earned 500 total points
ID: 35025710
Using https is a good idea if you send passwords over the network as they cannot be intercepted in that case. When using http cookies are sent plaintext, as well, this is correct, but depending on the stuff you store on your server this may or may not be problem.
The difference between cookies and passwords is the following: passwords frequently are reused by people on different sites, so getting the password of someone may open the doors to other sites as well. Cookies are very site-specific and usually are not used for the sensitive parts but rather changing preferences or so.
0
 

Author Comment

by:Nebukad
ID: 35025761
In experts-exchange i am automatically logged in based on my cookie which is send in plain text. I can alter my password without having to re-authenticate. To be secure a user should re-authenticate whenever changing sensitive data. correct?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 10

Expert Comment

by:abbright
ID: 35025795
That's what I'd suggest. Anyway it is always up to the site to decide.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35025800
One option many sites use is to enter the old password in order to be able to change it. This is somewhat of a compromise between security and comfort.
0
 

Author Comment

by:Nebukad
ID: 35025810
@abbright: Thanks for your information, i have a better understanding of how securing a site should work.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question