在整个站点中使用SSL [英] Using SSL Across Entire Site

问题描述

我只考虑在我的整个网站上使用SSL，而不是只有几个选择页面进行HTTPS访问。

Instead of just having a few select pages for HTTPS access, I was thinking about just using SSL for my entire site.

这会有什么缺点？

编辑2014年8月7日

Google现在因使用HTTPS进行排名，所以你绝对应该在整个网站上使用SSL：

Google now factors in HTTPS for rankings, so you absolutely should use SSL across your entire site:

http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html

推荐答案

如今，强烈建议在TLS（https）上运行整个网站。

It is highly recommended these days to run the entire site on TLS (https that is) if possible.

开销问题已成为过去，它不再是新TLS协议的问题，因为它现在维护会话，甚至在客户端断开连接时缓存它们以供重用。在过去，情况并非如此。这意味着今天，你必须做公钥加密（cpu重的类型）的唯一时间是建立连接。所以，无论如何，当你拥有证书时，并没有任何缺点。这意味着您不必在http和https之间来回发送信息，客户将始终在浏览器中看到锁定标志。

The overhead concern is a thing of the past, it is no longer an issue with the newer TLS protocols, because it is now maintaining sessions, and even caching them for reuse if the client drops the connection. In the old days this was not the case. Which means that today, the only time you have to do public-key crypto(the type that is cpu heavy) is when establishing the connection. So there isn't really any drawbacks when you have a cert anyway. This means that you won't have to send people back and forth between http and https, and the customers will always see the lock sign in their browser.

特别关注 Firesheep 发布后被吸引到这个主题。你可能已经听说过Firesheep是一个Firefox插件，让你轻松（如果你们都使用相同的开放式wifi网络）在Facebook，Twitter等网站上高举其他人的会话。这是有效的，因为这些网站只选择性地使用TLS，如果在站点范围内启用TLS，这对他们来说不会有问题。

Extra attention has been drawn to this subject after the release of Firesheep. As you might've heard Firesheep is a Firefox addon that let's you easily (if you are both using the same open wifi network) highjack other people's sessions on sites like Facebook, Twitter etc. This works because those sites only use TLS selectively, and this would not be a problem for them if TLS was enabled site-wide.

因此，总的来说，缺点（例如增加的CPU使用率）与州相比可以忽略不计当前的技术，专业人士很清楚，所以通过SSL / TLS服务所有内容！这是最近走的路。

So, in conclusion, the cons (such as added CPU use) are negligible with the state of current technology, and the pros are clear, so serve all content via SSL/TLS! It's the way to go these days.

编辑：如其他答案中所述，提供某些网站内容的另一个问题（如图片） ）没有SSL / TLS，客户/用户会得到一个非常恼人的安全页面上的不安全内容消息。

As mentioned in other answers, another problem with serving some of a site's content (like images) without SSL/TLS, is that customers/users will get a very annoying "unsecure content on secure page" message.

此外，由于说明，您应该将人们重定向到https网站。您甚至可以启用使您的服务器拒绝非ssl连接的标志。

Also, as stated by thirtydot, you should redirect people to the https site. And you can even enable the flag that makes your server deny non-ssl connections.

另一个编辑：正如下面的评论，请记住，SSL / TLS不是解决所有网站安全问题的唯一方法需求，还有很多其他考虑因素，但它确实为用户解决了一些安全问题，并很好地解决了这些问题（尽管有很多方法可以做中间人，即使使用SSL / TLS）

Another edit: As pointed out in a comment below, remember that SSL/TLS isn't the only solution to all your site's security needs, there is still a lot of other considerations, but it does solve a few security issues for the users, and solves them well (Even though there are ways to do a man-in-the-middle, even with SSL/TLS)

这篇关于在整个站点中使用SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！