My user account and login pages are SSL, but the rest of my site is not. What bebnefit is there to switching between the two as I am doing vs making the whole site SSL?
+2
A:
There is an overhead to using SSL, although in reality it may not cause a concern - as pointed out in this SO question.
You can minimise what overhead there is by only using SSL for those transactions where it adds value - i.e. where you want to ensure the confidentiality and integrity of the data in transit. In many cases this is only the case for username and password details, however there may be other transactions where you also want these features.
Brabster
2010-03-01 21:33:45
Another thing to consider is that when using SSL the pages are not cached, so you loose the power of caching local HTML, etc.
meme
2010-03-01 21:54:49
Hadn't thought of that, good point!
Brabster
2010-03-01 22:38:48
A:
Use ssl on pages where you ask user to submit his credit card number, for example. Don't overuse it without enought reasons.
Roman
2010-03-01 21:35:49
Why? As Brabster writes, the overhead may not be significant in most cases.Whenever logging in provides access to user related data (and may it only be things like a list of previous purchases), encryption should be used unless there are strong reasons against it.
FRotthowe
2010-03-01 21:43:42
But what constitutes overuse? Does it really use up that many CPU cycles? Isn’t it nice having all communications between a website and its users encrypted? Don’t we have enough computing power available now to just do this as standard?
Paul D. Waite
2010-03-01 21:44:10
If you don't require confidentiality and integrity then it could be called overuse. If it's easier for you the developer to encrypt all traffic then that's a factor to take into account, but saying that it's better to encrypt all traffic in all cases just because we can doesn't seem right. So I log into my Wikipedia account. Sure, you might feel it valid to encrypt my edit transactions, but why the view actions that anyone can else do?
Brabster
2010-03-01 22:37:52
+1
A:
in general, once logged on, a session-id is passed between client and server. if this cookie is sent in clear text (as with non-ssl requests/responses), it can be sniffed and used to enter the user's account without having to log on (session hijacking attack). this is why google recently enabled 'always on https' for gmail.
futtta
2010-03-02 07:01:24
I've always wondered why some sites only require ssl for signing in, since not using ssl for other pages exposes your session key with the site. I guess those sites don't require high security.
allyourcode
2010-03-02 07:13:34