We are in the process of moving our web architecture to a new environment. Included are dozens of different sites ranging from almost completely static to dynamic sites requiring authentication and containing sensitive content. Our web server admins have (without any input from the development team) decided to make it a standard in the new environment to force SSL for everything. I do not agree with this decision and would like to have as much knowledge as possible when I sit down to discuss it. Here's what I have so far:
I do not have an issue with forcing SSL when users are authenticating or they are requesting sensitive data. However, I think forcing SSL by default on all sites is a bit much.
Your website needs any SSL certificate If you're asking for any personal information. But that's not all there is to it. Search engines are cracking down on perceived 'non-secure' websites. Any websites without the SSL certificate will remain http while those with encryption will show https in users' browsers.
Many people believe that a SSL Certificate means a website is safe to use. Just because a website has a certificate, or starts with HTTPS, does not guarantee that it is 100% secure and free from malicious code. It just means that the website is probably safe. In the vast majority of cases the sites will be.
While less of a concern for smaller sites with little traffic, HTTPS can add up should your site suddenly become popular. Perhaps the main reason most of us are not using HTTPS to serve our websites is simply that it doesn't work with virtual hosts.
Yes. While the primary purpose of SSL is securing information between the visitor and your website, there are benefits for SEO as well. According to Google Webmaster Trends Analysts, SSL is part of Google's search ranking algorithm.
In reply to Thomas's answer:
For each site, an SSL certificate has a direct cost. We have a dev, qa, and prod environment and thus that is three certificates that are needed for each site
Hardly true. You don't need to have every single dev and qa behind SSL with valid, current certificates. You -- perhaps -- want one staging site with a valid certificate. But beyond the Apache front-end, your back-end should not know that there's SSL involved. You're not testing anything unique or special by purchasing dev certificates.
Also, the cost is nominal. You're spending more money on the conversation than the certificates actually cost.
For the majority of pages, the content is not secure and forcing SSL would make the page requests take longer on the server because of encrypting and decrypting
A little. Have you measured? You may find that it's hard to measure because the variability of internet speeds trump the cost of SSL processing.
From what I understand, most browsers to do not cache pages that are SSL'ed and thus again, page requests will take longer
Again, have you measured this?
Older browsers have problems with file downloads when they are SSL'ed
Really? Which specific "older browser" are you planning to support that has this problem? If you can't find one and are thinking that someone, somewhere might have this problem, you may be overengineering. Check your logs and see what browsers your customers actually use, and then determine if you have a problem.
I agree that "SSL everywhere" isn't a very good approach. I think you need at least one non-SSL port-80 "welcome" page. But I'm not sure your current set of issues are solid reasons. I think you need considerably more measurements to make the case that SSL actually involves real cost or real performance hits.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With