?
Solved

How secure is http to https - versus http

Posted on 2011-03-03
6
Medium Priority
?
277 Views
Last Modified: 2012-06-27
Hi,

I am currently working on a website that needs to have some type of login to allow visitors to posts data. First i assumed that i should use https for this site, however the more i learn to more it seems useless to use https.

For example in google to login you go through a https webpage. However when you enter the search part of google -> http://www.google.com my computer sends a stored cookie in plain text which is used by google to give me the possiblilties to goto my account setting (btw experts-exchange.com and many other sites do the same) Couldn't this cookie be just as easily seen/hacked as if the login was done in plain http.

Since our website is not using any form of payment or stores any highly confidential information i was wondering if there is any reason to use https.
0
Comment
Question by:Nebukad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 4

Expert Comment

by:MarioAlcaide
ID: 35025570
If you use https you will ensure that your data will be safe. If you don't need that much security, then don't use it, you will just make your system more difficult to implement and mantain.

That's my tip, regards.
0
 
LVL 10

Accepted Solution

by:
abbright earned 2000 total points
ID: 35025710
Using https is a good idea if you send passwords over the network as they cannot be intercepted in that case. When using http cookies are sent plaintext, as well, this is correct, but depending on the stuff you store on your server this may or may not be problem.
The difference between cookies and passwords is the following: passwords frequently are reused by people on different sites, so getting the password of someone may open the doors to other sites as well. Cookies are very site-specific and usually are not used for the sensitive parts but rather changing preferences or so.
0
 

Author Comment

by:Nebukad
ID: 35025761
In experts-exchange i am automatically logged in based on my cookie which is send in plain text. I can alter my password without having to re-authenticate. To be secure a user should re-authenticate whenever changing sensitive data. correct?
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 
LVL 10

Expert Comment

by:abbright
ID: 35025795
That's what I'd suggest. Anyway it is always up to the site to decide.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35025800
One option many sites use is to enter the old password in order to be able to change it. This is somewhat of a compromise between security and comfort.
0
 

Author Comment

by:Nebukad
ID: 35025810
@abbright: Thanks for your information, i have a better understanding of how securing a site should work.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question