Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL on entire site or just part of it?

Tags:

security

ssl

I have a site... let's call it mysite.com. On this site, there's the sign up section which I think should be the secure part of this site.

a) Should I enable ssl on the entire site, or just the sign up part (e.g. signup.mysite.com) b) What are the pros and cons of enabling it for the whole site?

like image 277
coderama Avatar asked Jul 31 '09 09:07

coderama


People also ask

What is the difference between SSL and website security?

While SSL provides users security when they share information with you (and you with them), it doesn't provide security between you and those want to get into your website. If SSL is the secured telephone to your home, the website security is how secure the doors and windows of your home are.

Do I really need a SSL certificate for my website?

Without SSL, your site visitors and customers are at higher risk of being having their data stolen. Your site security is also at risk without encryption. SSL protects website from phishing scams, data breaches, and many other threats. Ultimately, It builds a secure environment for both visitors and site owners.

Is SSL 100% secure?

The HTTPS or a SSL certificate alone is not a guarantee that the website is secure and can be trusted. Many people believe that a SSL Certificate means a website is safe to use. Just because a website has a certificate, or starts with HTTPS, does not guarantee that it is 100% secure and free from malicious code.

How does SSL work on website?

The server sends the browser a copy of its SSL certificate. The browser checks whether it trusts the SSL certificate. If so, it sends a message to the server. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.


2 Answers

It depends on what your site serves. If the data it serves is sensitive, then providing a full SSL encrypted connection is a bonus.

But, as others have mentioned you will eat your bandwidth. SSL encrypted data, be it images, HTML pages or other information is not (supposed to be) cached on the client, so every time the user restarts the browser the files are downloaded again.

I would agree with Vinay, provide signon/signup over SSL and then fall back to normal HTTP, then see.

The other approach may be to provide all your static content over HTTP while all the sensitive content over HTTPS (e.g. if you use systems like ExtJS then the pages are static files and the data is all retrieved via AJAX).

Of course, if you're serving sensitive information (e.g. banking information) where the data itself is always sensitive then go full SSL and eat the costs.

like image 95
Jamie Love Avatar answered Oct 23 '22 03:10

Jamie Love


Using entirely SSL will not necessarily increase your bandwidth bills. Encryption does not make the data bigger. Be sure you enable Deflate compression aswell.

Where SSL might increase your bandwidth bill is some browsers (firefox) do not cache pages retrieved over SSL to disc. This means the next time a user visits your site after quitting thier browser, they will download every single bit of content again.

If you opt to ensure user privacy, make sure that any cookies your site sends out have the 'send over SSL only' flag set otherwise users can be tricked into giving out that cookie in clear with some very simple phishing.

SSL also means paying for a certificate signed by a meaningful CA, which in some cases will cost more than your brandwidth.

like image 45
IanNorton Avatar answered Oct 23 '22 03:10

IanNorton