Solved

How secure is http to https - versus http

Posted on 2011-03-03
6
273 Views
Last Modified: 2012-06-27
Hi,

I am currently working on a website that needs to have some type of login to allow visitors to posts data. First i assumed that i should use https for this site, however the more i learn to more it seems useless to use https.

For example in google to login you go through a https webpage. However when you enter the search part of google -> http://www.google.com my computer sends a stored cookie in plain text which is used by google to give me the possiblilties to goto my account setting (btw experts-exchange.com and many other sites do the same) Couldn't this cookie be just as easily seen/hacked as if the login was done in plain http.

Since our website is not using any form of payment or stores any highly confidential information i was wondering if there is any reason to use https.
0
Comment
Question by:Nebukad
  • 3
  • 2
6 Comments
 
LVL 4

Expert Comment

by:MarioAlcaide
ID: 35025570
If you use https you will ensure that your data will be safe. If you don't need that much security, then don't use it, you will just make your system more difficult to implement and mantain.

That's my tip, regards.
0
 
LVL 10

Accepted Solution

by:
abbright earned 500 total points
ID: 35025710
Using https is a good idea if you send passwords over the network as they cannot be intercepted in that case. When using http cookies are sent plaintext, as well, this is correct, but depending on the stuff you store on your server this may or may not be problem.
The difference between cookies and passwords is the following: passwords frequently are reused by people on different sites, so getting the password of someone may open the doors to other sites as well. Cookies are very site-specific and usually are not used for the sensitive parts but rather changing preferences or so.
0
 

Author Comment

by:Nebukad
ID: 35025761
In experts-exchange i am automatically logged in based on my cookie which is send in plain text. I can alter my password without having to re-authenticate. To be secure a user should re-authenticate whenever changing sensitive data. correct?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 10

Expert Comment

by:abbright
ID: 35025795
That's what I'd suggest. Anyway it is always up to the site to decide.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35025800
One option many sites use is to enter the old password in order to be able to change it. This is somewhat of a compromise between security and comfort.
0
 

Author Comment

by:Nebukad
ID: 35025810
@abbright: Thanks for your information, i have a better understanding of how securing a site should work.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question