If HTTPS is secure, why isn’t every website using it?

Posted by Tirsina Radu

With technology now so much a part of daily life, the average person maintains a password for multiple accounts, including e-mail, instant messaging and banking. 



Clearly, passwords serve a crucial role, as they facilitate access to one’s personal information and relationships.

For that reason, nobody wants to have their password easily available or  otherwise accessible to everyone who cares to see. 



Yet, that is precisely what Internet users are doing everyday when they log in with their user name and password on websites that run on standard HTTP.

HTTPS provides a much more secure connection - the extra S stands for “secure,” which is why HTTPS is sometimes simply referred to as "secure HTTP."


With an HTTPS connection, it becomes a lot more difficult for someone to eavesdrop on traffic and track data moving from the client to the web server.



However, the fact that HTTPS has been in existence for years begs the obvious question: why isn’t every single site on the web using it?

Well, it could have something to do with the traditional use of HTTPS.

At the onset, websites employing HTTPS were primarily banks and companies which required full e-commerce functionality. 

In fact, even today, numerous sites will not use HTTPS across the entire site and will only restrict it to transaction and shopping cart pages.

As such the furor over FireSheep - which was capable of reading log in credentials transmitted across less-than-secure networks - turned out to be a blessing in disguise for HTTPS and web security in general.

With so many people regularly or occasionally accessing the web using public WiFi networks, many large websites were jolted into action and began providing HTTPS connection options.

Sites that contain what is - for all practical purposes - public  information, have not been left behind either. Twitter, for example, now offers a "permanent" HTTPS alternative.

Yet, HTTPS has not entirely (or even substantially) replaced HTTP online due to a number of reasons.

One is the cost of security certificates - this is especially significant for smaller sites with a tight budget.

Another reason is the inability of HTTPS sites to cache, which increases response time - especially when there are many hops from the web server to the client.

A third reason is the slower speeds due to the encryption and key exchange that takes place when an HTTPS connection is established.