3

My user account and login pages are SSL, but the rest of my site is not. What bebnefit is there to switching between the two as I am doing vs making the whole site SSL?

zsharp
  • 13,656
  • 29
  • 86
  • 152
  • 2
    I’ve often wondered if the SSL overhead really outweighs the benefits. I’ve always thought that, for almost all internet traffic, why *wouldn’t* you (you being you the user, as opposed to e.g. a government agency who’d like to be able to read sloppy terrorists’ messages as well as ours) want it encrypted end-to-end? Wouldn’t it be better if everything was encrypted? Shouldn’t we expect it? – Paul D. Waite Mar 01 '10 at 21:41

3 Answers3

2

There is an overhead to using SSL, although in reality it may not cause a concern - as pointed out in this SO question.

You can minimise what overhead there is by only using SSL for those transactions where it adds value - i.e. where you want to ensure the confidentiality and integrity of the data in transit. In many cases this is only the case for username and password details, however there may be other transactions where you also want these features.

Community
  • 1
  • 1
brabster
  • 42,504
  • 27
  • 146
  • 186
  • 2
    Another thing to consider is that when using SSL the pages are not cached, so you loose the power of caching local HTML, etc. – meme Mar 01 '10 at 21:54
1

in general, once logged on, a session-id is passed between client and server. if this cookie is sent in clear text (as with non-ssl requests/responses), it can be sniffed and used to enter the user's account without having to log on (session hijacking attack). this is why google recently enabled 'always on https' for gmail.

futtta
  • 5,917
  • 2
  • 21
  • 33
  • I've always wondered why some sites only require ssl for signing in, since not using ssl for other pages exposes your session key with the site. I guess those sites don't require high security. – allyourcode Mar 02 '10 at 07:13
0

Use ssl on pages where you ask user to submit his credit card number, for example. Don't overuse it without enought reasons.

Roman
  • 64,384
  • 92
  • 238
  • 332
  • Why? As Brabster writes, the overhead may not be significant in most cases. Whenever logging in provides access to user related data (and may it only be things like a list of previous purchases), encryption should be used unless there are strong reasons against it. – FRotthowe Mar 01 '10 at 21:43
  • 1
    But what constitutes overuse? Does it really use up that many CPU cycles? Isn’t it nice having all communications between a website and its users encrypted? Don’t we have enough computing power available now to just do this as standard? – Paul D. Waite Mar 01 '10 at 21:44
  • If you don't require confidentiality and integrity then it could be called overuse. If it's easier for you the developer to encrypt all traffic then that's a factor to take into account, but saying that it's better to encrypt all traffic in all cases just because we can doesn't seem right. So I log into my Wikipedia account. Sure, you might feel it valid to encrypt my edit transactions, but why the view actions that anyone can else do? – brabster Mar 01 '10 at 22:37