Http vs. HttpS

Marked this one as one of my favorite questions:


What are benefits of using HTTPS over HTTP?
HTTPS means that you tunnel the HTTP protocol over TLS/SSL which encrypts the HTTP payload. So the benefit is that HTTP requests and responses are transmitted securely over the wire, e.g. your Internet Service Provider does not know what you’re doing.

How to use HTTPS?
Enable it at your endpoint, in general a web server in front of your application server. Most web servers (e.g. IIS, Apache) support this by configuration. Depending on your confidentiality requirements this may not be enough.
Can we use HTTPS for only login purpose and then onwords HTTP?
Technically this is possible, but it introduces some security risks. Example: After a secured login you transmit session IDs identifying the user. If you transmit those session IDs unsecurely (no SSL), session hijacking becomes a risk (‘man-in-the-middle’)

Is processing time required for HTTPS is greater than HTTP?
Yes, key negotiation (handshaking) requires a lot CPU capacity.