我是网络安全新手。
为什么我要使用 HTTP 然后切换到 HTTPS 进行某些连接?
为什么不一直使用 HTTPS?
最佳答案
有一些有趣的配置改进可以降低 SSL/TLS 的成本,如本文档中所述(显然基于 on work from a team from Google:Adam Langley、Nagendra Modadugu 和 Wan-Teh Chang):http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users.
In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.
If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.
当仅对登录页面使用 HTTPS 时,一种错误的安全感是您为 session 劫持敞开了大门(诚然,这总比明文发送用户名/密码要好);例如,使用 Firesheep,这最近变得更容易(或更流行)(尽管问题本身已经存在了很长时间)。
另一个可能会降低 HTTPS 速度的问题是某些浏览器可能不会缓存它们通过 HTTPS 检索的内容,因此它们必须重新下载它们(例如,您经常访问的网站的背景图像)。
话虽这么说,如果您不需要传输安全性(防止攻击者查看或更改交换的数据,无论哪种方式),纯 HTTP 就可以了。
关于HTTPS 而不是 HTTP?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/4070659/