1

Some sites like Stack Exchange have an HTTPS version available. But when I type their address or go to them via Google, I get an unencrypted version.

This seems to render the HTTPS version totally useless, as most users (maybe not on SE) will use the unsecure version without even noticing.

I don't know of any modern desktop or mobile browser that doesn't support HTTPS. So why are these websites even keeping an HTTPS version, and using it by default ?

Hey
  • 1,915
  • 1
  • 17
  • 24
  • 3
    See https://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ for an explanation of why Stack Exchange specifically isn't using SSL yet. – Jonas Czech Jun 04 '16 at 10:28
  • 1
    While Stack Exchange and some other sites have (kinda) valid excuses, mostly it's laziness and/or incompetence. "Our old infrastructure doesn't handle TLS and why should we waste money on upgrading if everything works just fine without it?" – André Borie Jun 04 '16 at 13:35
  • Interestingly, StackExchange works perfectly fine on HTTPS, if you bother to add the "s" in the address bar. – Hey Jun 04 '16 at 14:34
  • @YdobEmos If you discount the meta sites under the stackexchange.com domain. (meta.*.stackexchange.com cannot easily be expressed by a SSL certificate. Maybe one of these days we'll see them renamed to *.meta.stackexchange.com instead.) – user Jun 04 '16 at 17:02
  • Poss dupe https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol and https://security.stackexchange.com/questions/54038/why-should-one-not-use-ssl – dave_thompson_085 Jun 05 '16 at 03:51

2 Answers2

3

It is simply open to accepting secured and unsecured connections.

Since HTTPS increases the processing and bandwidth requirements, forcing it in situations that really don't justify it only costs more to every one.

Forcing it would also require a redirect, which would make the user experience an even longer load time because of that.

Julie Pelletier
  • 1,919
  • 10
  • 18
-1

It's simple issues.

In first answer, Google Search BOT:: Google engine will search HTTP first, if there's HTTP and HTTPS exists in the sametime. Google will store same contents then, HTTP data will be stored. It means less computing and network Bandwidth consumes. they search and caching tremendous sites and datas. so, 1% of more cost means huge counts of costs.

Second, StackExchange service providers' view:: Most of stack exchange contents is view on public. most of writer acts on this sites. but, that's not aim to exclusive view. they wants to share informations to public. no login, will read this-sites contents. I think this kind of Service property will stay in HTTP and HTTPS sametime. Just Login-time , user account and pw entering time, SSL needs.

more of considerations:: If your websites and what websites for advertisement, no needs personal secure access, then why use SSL (HTTPS). they want to publish their sites to more public, and spread their information anonymously, and that case , they thinks make their websites more easy to access and more easy to read what they want to release.

But, most of websites has another authentication mechanism, when log-in , they switching background to support https and make secure sessions.

I think that's depend on websites contents.

Another aspect of view,

When using SSL, the websites needs to spend more cost, because it needs more server capabilities and more server resources. it makes more cost per connections. So, they makes websites not to use SSL.

In case of 1~x concurrent connection thru SSL is ignorable. but, there's over xK conccruent connection , then more server costs. And then, most of IDC or service provider adapt SSL Offload or That Kinds of Expensive devices.

cpplover - Slw Essencial
  • 1
  • 2
  • SSL had a real performance impact maybe a decade ago. Look at [Why You Shouldn't be Afraid of SSL Performance](http://scn.sap.com/community/netweaver/blog/2013/06/23/whos-afraid-of-ssl); in their case, the median response time went from 17 to 22 ms (66 ms for the first connection setup), with a 95th percentile of 20, 36 and 82 ms, respectively. Server CPU utilization remained low. [The SSL Performance Myth](https://www.maxcdn.com/blog/ssl-performance-myth/) says for Google, HTTPS impact is 2% on network overhead and <1% on CPU. I couldn't quickly find the original Google study. – user Jun 04 '16 at 16:59
  • For comparison, it's hard to get a median *network transmission* response time that is consistent to within 3 ms for 95% of users, so you are almost certainly already seeing more variation than would be added by the overhead introduced by SSL. – user Jun 04 '16 at 17:01
  • I understand your saying. but most of sites and site compositor they don't have ssl setup , I think its real things. – cpplover - Slw Essencial Jun 04 '16 at 17:28
  • and just ssl certificate is not so expensive if they find cheafer one , but sits maker they charge another costs. – cpplover - Slw Essencial Jun 04 '16 at 17:30
  • Please don't take this the wrong way, but those things are **irrelevant** to the question as asked. The question is about sites accessible over both HTTP and HTTPS, but defaulting to HTTP rather than HTTPS. For that situation to occur, you need to have everything that SSL needs already set up and working; it's simply a matter of which one of the two you set the servers up to prefer. – user Jun 05 '16 at 11:18
  • Don't drag Google into this. Google [prefers HTTPS](https://webmasters.googleblog.com/2015/12/indexing-https-pages-by-default.html). – Kevin Jun 05 '16 at 20:26