Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How secure is http to https - versus http

Posted on 2011-03-03
6
Medium Priority
?
279 Views
Last Modified: 2012-06-27
Hi,

I am currently working on a website that needs to have some type of login to allow visitors to posts data. First i assumed that i should use https for this site, however the more i learn to more it seems useless to use https.

For example in google to login you go through a https webpage. However when you enter the search part of google -> http://www.google.com my computer sends a stored cookie in plain text which is used by google to give me the possiblilties to goto my account setting (btw experts-exchange.com and many other sites do the same) Couldn't this cookie be just as easily seen/hacked as if the login was done in plain http.

Since our website is not using any form of payment or stores any highly confidential information i was wondering if there is any reason to use https.
0
Comment
Question by:Nebukad
  • 3
  • 2
6 Comments
 
LVL 4

Expert Comment

by:MarioAlcaide
ID: 35025570
If you use https you will ensure that your data will be safe. If you don't need that much security, then don't use it, you will just make your system more difficult to implement and mantain.

That's my tip, regards.
0
 
LVL 10

Accepted Solution

by:
abbright earned 2000 total points
ID: 35025710
Using https is a good idea if you send passwords over the network as they cannot be intercepted in that case. When using http cookies are sent plaintext, as well, this is correct, but depending on the stuff you store on your server this may or may not be problem.
The difference between cookies and passwords is the following: passwords frequently are reused by people on different sites, so getting the password of someone may open the doors to other sites as well. Cookies are very site-specific and usually are not used for the sensitive parts but rather changing preferences or so.
0
 

Author Comment

by:Nebukad
ID: 35025761
In experts-exchange i am automatically logged in based on my cookie which is send in plain text. I can alter my password without having to re-authenticate. To be secure a user should re-authenticate whenever changing sensitive data. correct?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 10

Expert Comment

by:abbright
ID: 35025795
That's what I'd suggest. Anyway it is always up to the site to decide.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35025800
One option many sites use is to enter the old password in order to be able to change it. This is somewhat of a compromise between security and comfort.
0
 

Author Comment

by:Nebukad
ID: 35025810
@abbright: Thanks for your information, i have a better understanding of how securing a site should work.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question