http:\\ vs https:\\

hello all.. I am working on a .net application and am trying to decide on http vs https.. I have seen a lot of sites that do not use https on the apps login screen. to me, that seems like that would not be a secure way of doing business as everything related to user signup and login should be secure.

if any of you have experience with http vs https, i would like to hear your opinions.

Thanks in advance for any help that could be provided.

 

I remember a lesson about this at college. In my opinion (and that of the authors who wrote our textbooks), if your site is simple enough, and you're not dealing too much with hard cash, http would do.

On the other hand if your user accounts would have access to money, or the stakes are high, go in for https

 

well SSN and credit card numbers are involved.. so I know that I will use https 'in' the application, but what about the page where the user logs in? does that have to be https as well?

 

you need https in paypal and banks, money sites.

 

Most credit card companies tell customers not to use CC numbers on site without "https://" ... so if you don't want to turn away potential clients and don't want to be branded as a scamming/phishing site, go for the s.

~SX

 

that is what I have always been taught also.. but what about the log in page?

 

Why wouldn't you just use https:// in everything if its secured in stuff?

 

You should always use https for the login page or any page that requires "secret" credentials (ie: forget password, password reset, hint). You want to make the user to feel secure at all times and since you are making the effort to keep them feeling warm and cozy you should also post that somewhere on the website that they are using a SSL encrypted website.

People these days take note on what they are doing online because of the widespread media coverage so in closing I'd use https.

Regards,

 

good point whatyaknow..

https should be used

 

There was an issue with setting up IIS to make everything https.

If you have any tips on redirecting http to https for every page that is viewed, i would appreciate any help.

 

Or.. what you can do is offer the user the option to switch over to https to login.. that way you can appease everyone?

 

Wish I could help you out but I'm an apache guy..

 

me too.. this question is for my job.. personally i am an LAMP person

 

forms authentication over https is a classic and proven solution for asp.net. So, just implement it . The other secure authentication method is windows authentication (this can be over http) -
- much harder to implement - Active Directory involved ...)

 

It shouldn't be a problem to serve the login page itself as http:// -as long as the form is submitted over https://

 

Make the POST call in the login form to script that handles the password/login details to https then have the script redirect back to http

Many websites do this..Look at Facebook.com login form. (view source)

 

As said, it depends what data there is secured by the log in. If it is a simple forum then there is little point in paying the cost of a SSL certificate etc however if personal details are there you should consider it and certainly if access to credit card details.

The disadvantages of SSL is firstly the additional hosting costs and secondly SSL adds to the server load as all comms have to be encrypted/ decrypted

 

Thanks everyone for your help.. I think we have it figured out now!

 

Https:// i check in my Bank account site

 

i think if you website is not directly involve in cashing, means redirecting to paypal or so, then you dont need https. but if your business nature a very secure information https must be adopted.