HTTPS for Login but HTTP for other pages

[bandgeekmafia78]

Hi.

I'm currently using SharePoint for our School VLE. Internally, it works great. However, the VLE is terribly slow when its being used externally. Our whole VLE is currently HTTPS when you authenticate externally. I am interested in just making our login page HTTPS and the rest of it HTTP.

Having done a bit of research it seems that HTTP is a less secure method. However, I'm interested to know if anyone else is currently doing this with their school's VLE and if so, have you encountered any security issues?

Thanks.

[FN-GM]

I am pretty sure there is a "rule" saying VLE's in the UK need to be all HTTPS. But that might be back in the days if BECTA.

Ours is Moodle all HTTPS and we dont have any performance hit.

[bandgeekmafia78]

I think its probably the amount of data we have on our SharePoint to be honest. Not much I can do about that apart from telling the staff to stop working

[GrumbleDook]

A VLE should have all traffic over HTTPS as you never know where data will sit which needs some protection.

[FN-GM]

I think its probably the amount of data we have on our SharePoint to be honest. Not much I can do about that apart from telling the staff to stop working

Can you not up the specs of the server or somethings?

[twin--turbo]

how is it slow,

large amounts of data will not slow it down unless large amounts of data are bing pulled your more likly to hit bandwidth problems rather than encription problmes.

Rob

[Arthur]

However, the VLE is terribly slow when its being used externally.

Unless the VLE is running on a decade old server, you can rule out HTTPS as the cause of the slowness.

HTTPS isn't (that) expensive any more
Yes, in the hoary old days of the 1999 web, HTTPS was quite computationally expensive. But thanks to 13 years of Moore's Law, that's no longer the case. It's still more work to set up, yes, but consider the real world case of GMail:

In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that. (Source)

I am interested in just making our login page HTTPS and the rest of it HTTP.

As others have said above, this is a bad idea.