Cost of going All HTTPS?

How “expensive” would be if I made my entire website HTTPS?

Originally I was just going to have encrypted pages in the usual places (e.g. Log-In, User Profiles, E-commerce), but considering how hackers keep raising the bar every week, and considering how a lot of people are freaked out about the Gov’t spying on them, I am thinking it might make good business sense to just flip the switch and make every single page on my website encrypted.

If I were to do that, how “resource intensive” would that be?

Would it require buying a Data Center?

Hiring an entire army of IT staff?

Possibly leveling a rain forest to satisfy my webserver(s) need for extra electricity? (:

If I am not mistaken, more and more websites are doing this already…

I believe every page you visit on Google is HTTPS, and I think I just saw this week that WikiPedia is looking to go “all encryption” as well.

Benefits that I see this providing my business include…

[INDENT]- Reducing Liability

• Increasing People’s Trust
• Making coding easier
  [/INDENT]

What do you think about this from a “business” standpoint?

And more importantly, from a technical standpoint, "What is the impact of having every web page encrypted??

Sincerely,

Debbie

Other than ensuring that HTTPS is enforced using htaccess and that the SSL certificate is installed, there won’t be much difference in terms of a performance hit or extra work that you need to do (unless all your links are hard-coded absolute URLs).

I’ve always heard that HTTPS causes an enormous amount of work for the webserver encrypting and decrypting web pages… :-/

If that is true, then it implies a lot of extra wear-and-tear on your server, as well as slower performance, and thus delays for visitors…

It seems you are saying the difference in negligible?

Sincerely,

Debbie

This may have been true in the 90s, but these days, it only adds a few extra milliseconds per connection. Granted, if you’re serving millions of visitors, you will have to do a bit more to optimize performance because of the sheer volume of requests, but this isn’t the case in most situations.

It seems you are saying the difference in negligible?

Unless you are serving millions of visitors per day, yes.

So why don’t most sites go “All HTTPS”?

It seems to me like a good portion of websites would be wise to encrypt every page, and avoid a lot of security and privacy risks…

Sincerely,

Debbie

SSL certs cost money, plain and simple. So up until this point, SSL certs have primarily just been used to secure personal and financial information. It’s only in the last couple years when sites have started enacting site-wide HTTPS (gmail, facebook, and twitter are prime examples).

Now that it’s been brought to everyone’s attention that the NSA is spying on everybody, folks are certainly starting to become more security-conscious, so I expect a rise in SSL usage.

As a side note, I stumbled across this article and thought it might be worth a read, as it touches on many of the concerns you are raising: http://blog.artlogic.com/2013/05/22/to-ssl-or-not-to-ssl/

Thanks for the article link.

Since I already have an SSL certificate, and the performance hit sounds negligible, I think doing site-wide encryption would be a great addition to my website.

But to clarify, what would I need to do as far as coding goes to make everything HTTPS?

Do I simply add a line of code into my .htaccess file?

Taking a quick look, most of my links look like this…

	<a href="/small-business/">Small Business</a>

	<a href='/account/my-account.php'>My Account</a>

	define('BASE_URL', ENVIRONMENT === 'development'
					? 'http://local.debbie'
					: 'http://www.MySite.com');

	// Redirect to Display Outcome.
	header("Location: " . BASE_URL . "/account/results.php");

	<li><a href="<?php echo "/articles/rate-this-article/$articleSlug"; ?>">Rate this Article</a></li>

	<a class='button2' href='" . BASE_URL . "/account/log-in.php'>Log In</a>

I would have to step line-by-line through my entire code-base to be 100% certain, but I believe the above samples pretty much reflect how all of my hyperlinks come to be.

So how do I make everything on my website HTTPS?

Sincerely,

Debbie

Add this to your htaccess file:

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That will redirect all domains.

This will redirect a specific domain:

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !(^example\\.org*)$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

As for PHP, just change the http portion in your BASE_URL variable.

Can you help me understand what that says exactly?

Here is my guess…

Line 1: If HTTPS is not on, then…

Line 2: Not so sure about this one. Guessing maybe HTTP_HOST is the Hostname (e.g. www.Debbie.com)

What is the % for?

Doesn’t REQUEST_URI include the domain?? I thought it was the whole URL?

What is [L,R=301] ?

I’m used to this format…

RewriteRule (.+)/$ articles/index_section.php?section=$1 [L]

…where you have <Current URL> followed <Desired Rewritten URL>

That will redirect all domains.

Can I use this in Development, or will that only work if I have an SSL Certificate in place?

This will redirect a specific domain:

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !(^example\\.org*)$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Why would I want to use that one versus the first one?

As for PHP, just change the http portion in your BASE_URL variable.

If I have the mod_rewrite in place that you provided above, technically I could leave my BASE_URL as-is, right?

I guess updating the BASE_URL to be “https” is just being doubly sure, right?

Sincerely,

Debbie

Yes.

Line 2: Not so sure about this one. Guessing maybe HTTP_HOST is the Hostname (e.g. www.Debbie.com)

Yes. %{HTTP_HOST} is a variable for the domain.

Doesn’t REQUEST_URI include the domain?? I thought it was the whole URL?

%{REQUEST_URI} is everything that follows the domain (directories, files, queries).

What is [L,R=301] ?

The L is a flag that tells apache to stop there for that set of conditional rules. the R=301 is a flag that tells apache what sort of rewrite/redirect it is. In this case, it’s a 301 redirect.

I’m used to this format…

RewriteRule (.+)/$ articles/index_section.php?section=$1 [L]

That does something different. The code splices I gave you should appear before any other rewrites.

Rewrite rules can be used on any part of a URL.

Can I use this in Development, or will that only work if I have an SSL Certificate in place?

It will only work where there is an SSL certificate in place. So, in your development environment, you will have to comment it out.

Why would I want to use that one versus the first one?

If you have multiple domains and only have an SSL certificate specific to an individual domain.

If I have the mod_rewrite in place that you provided above, technically I could leave my BASE_URL as-is, right?

Technically yes, but like I said above, each time you visit an HTTP URL it will be a 301 redirect. So, it might mess up a few things here and there.

I guess updating the BASE_URL to be “https” is just being doubly sure, right?

That would be the preferred approach.

Or, you can detect HTTPS using PHP:

$protocol=((isset($_SERVER['HTTPS']) || $_SERVER['HTTPS']==true)) ? 'https://' : 'http://';

$url = $protocol.$_SERVER['HTTP_HOST'];

echo '<a href="'.$url.'">clickme</a>';

I have a whole series of mod_rewrites in my .htaccess file like this…

#--------------
#PRETTY:		account/profile/JohnDoe/about-me
#UGLY:			account/profile.php?user=JohnDoe&tab=about-me

#Rewrite only if the request is not pointing to a real file.
RewriteCond %{REQUEST_FILENAME} !-f

#Match valid Usernames, and any Tab Name.  PHP will determine if Tab Name is valid.
RewriteRule account/profile/((.+)/)?(.+)?$ account/profile.php?user=$2&tab=$3 [L]


#--------------
#PRETTY:		account/send-pm/JohnDoe
#UGLY:			account/send-pm.php?user=JohnDoe

#Rewrite only if the request is not pointing to a real file.
RewriteCond %{REQUEST_FILENAME} !-f

#Match valid Usernames.
RewriteRule account/send-pm/(.*)$ account/send-pm.php?user=$1 [L]


#--------------
# SHOW ARTICLE
#PRETTY:	finance/tax-season/saves-your-taxes-for-a-cpa
#UGLY:		articles/article.php?section=finance&subsection=tax-season&article=saves-your-taxes-for-a-cpa

#Rewrite only if the request is not pointing to a real file.
RewriteCond %{REQUEST_FILENAME} !-f

#Match any kind of Section, Subsection and Article.  PHP will decide if it's valid or not.
RewriteRule (.+)/(.+)/(.+)$ articles/article.php?section=$1&subsection=$2&article=$3 [L]

It would seem that I would want to place the code you gave me as the last few lines of my .htaccess.

My thinking being that first I would want the mod_rewrites to take the “Pretty URLs” and turn them into something Apache can use, and then as a last step, rewrite the “Ugly URL” with an https: at the beginning.

For example, this Pretty URL…

http://www.Debbie.com/finance/tax-season/saves-your-taxes-for-a-cpa

…would first get changed to…

http://www.Debbie.com/articles/article.php?section=finance&subsection=tax-season&article=saves-your-taxes-for-a-cpa

And then finally your code would kick in and change things to…

[b]https[/b]://www.Debbie.com/articles/article.php?section=finance&subsection=tax-season&article=saves-your-taxes-for-a-cpa

How does that sound?

the R=301 is a flag that tells apache what sort of rewrite/redirect it is. In this case, it’s a 301 redirect.

Isn’t it bad to have a whole bunch of redirects?

For instance, let’s say I forgot to update my PHP code and the BASE_URL constant from http://local.debbie to https://local.debbie.

Would I get penalized by Google for every web page on my website being redirected?! :-/

It will only work where there is an SSL certificate in place. So, in your development environment, you will have to comment it out.

Is there a way to have a “Test SSL Certificate” locally on my test MacBook?

Technically yes, but like I said above, each time you visit an HTTP URL it will be a 301 redirect. So, it might mess up a few things here and there.

That would be the preferred approach.

Or, you can detect HTTPS using PHP:

$protocol=((isset($_SERVER['HTTPS']) || $_SERVER['HTTPS']==true)) ? 'https://' : 'http://';

$url = $protocol.$_SERVER['HTTP_HOST'];

echo '<a href="'.$url.'">clickme</a>';

Am I going to have to go through all of my code base and make sure that I have the constant BASE_URL prepended to every URL?? :-/

For example, I am thinking I can no longer have code like this…

		<?php echo "<p id='breadcrumb'><a href='/'>Home</a> > <a href='/$sectionSlug/'>$sectionName</a> > <a href='/$sectionSlug/$subsectionSlug/'>$subsectionName</a> > $heading</p>"; ?>

Yes or no?

(If not, that would suck, because it is so much easier and prettier to just use the HTML root like /$sectionSlug/$subsectionSlug/)

Also, from a security standpoint, do I have to add new code at the top of every script, and “sanitize” my URL’s to make sure they load as…

https://

If I am going to make every page encrypted, I want to be sure I implement things 110% correctly, so there are NO security holes!!!

Sincerely,

Debbie

It should go first.

Isn’t it bad to have a whole bunch of redirects?

Nope. Redirects redirect. They’re doing what they’re supposed to be doing.

For instance, let’s say I forgot to update my PHP code and the BASE_URL constant from http://local.debbie to https://local.debbie.

Would I get penalized by Google for every web page on my website being redirected?! :-/

No, but the browser might throw a security warning for not having all the content on a page either http or https (if you hard-coded your stylesheets, images, and javascript files, they will have to be changed to https or accessed using relative paths.

Is there a way to have a “Test SSL Certificate” locally on my test MacBook?

You can’t use the certificate generated by your host. It’s tied to the IP address and/or domain name. You can create your own SSL certificate. It won’t be backed by a certificate authority, so browsers will throw a warning unless to explicitly add it to the allow list.

One technique (though I haven’t tried it myself) for creating your own SSL cert: http://www.opencodez.com/apache/ssl-certificate-and-install-in-xampp.htm

Am I going to have to go through all of my code base and make sure that I have the constant BASE_URL prepended to every URL?? :-/

If you hard-coded an http into your URLs, you will have to replace that http with https. If you’re using relative URLs, then you won’t need to alter those.

Also, from a security standpoint, do I have to add new code at the top of every script, and “sanitize” my URL’s to make sure they load as…

https://

No, just the redirects.

So if I take your advice and update my BASE_URL constant to be this…

https://www.Debbie.com

…and I incorporate the mod_rewrite code you gave me…

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Then is it correct that this should help make all of my pages https AND that I won’t have to worry about someone hacking the URL and causing issues or errors?

Or is there any additional “sanitizing” or whatever that I need to do? (Trying to make my code “rock solid” here!!)

Sincerely,

Debbie

Yup.

Or is there any additional “sanitizing” or whatever that I need to do? (Trying to make my code “rock solid” here!!)

Nope. It isn’t really a complicated thing to implement.

I went through entire discussion between you and Force Flow,

@DoubleDee it seems you are getting confuse by technical implementation and process for securing whole website with SSL.

We worked closely with many customers on securing whole website. There is no additional requirement as far as server or IP is concern. You just need to make sure that the HTTPS pages should not contain HTTP url anywhere in code. As far as server/resource or any other things is concern, no additional thing is require.

If you are having multiple sub-domain on your website, you may need wildcard SSL as your existing SSL (if not wildcard) will not secure sub-domains.