Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using SSL Across Entire Site

Tags:

https

ssl

Instead of just having a few select pages for HTTPS access, I was thinking about just using SSL for my entire site.

What would be the drawbacks to this?

Edit Aug 7, 2014

Google now factors in HTTPS for rankings, so you absolutely should use SSL across your entire site:

http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html

like image 228
Dex Avatar asked Dec 23 '10 01:12

Dex


People also ask

Should you use HTTPS Everywhere?

HTTPS Everywhere is a best practice security measure for websites that ensures the entire user experience is safe from online threats. The term simply refers to using HTTPS—the secure web protocol enabled by SSL/TLS—across your entire website instead of selectively.

Can I share my SSL certificate to another server?

Yes, you can transfer an SSL certificate you bought elsewhere. If your site is coming from a host that uses cPanel, these can typically be extracted from cPanel directly or from the file manager.

Can a website have multiple SSL certificates?

You can install multiple SSL certificates on a domain, but first a word of caution. A lot of people want to know whether you can install multiple SSL certificates on a single domain. The answer is yes.

How does SSL work between two servers?

In two-way SSL authentication, the client application verifies the identity of the server application, and then the server application verifies the identity of the client application. Both parties share their public certificates, and then validation is performed.


1 Answers

It is highly recommended these days to run the entire site on TLS (https that is) if possible.

The overhead concern is a thing of the past, it is no longer an issue with the newer TLS protocols, because it is now maintaining sessions, and even caching them for reuse if the client drops the connection. In the old days this was not the case. Which means that today, the only time you have to do public-key crypto(the type that is cpu heavy) is when establishing the connection. So there isn't really any drawbacks when you have a cert anyway. This means that you won't have to send people back and forth between http and https, and the customers will always see the lock sign in their browser.

Extra attention has been drawn to this subject after the release of Firesheep. As you might've heard Firesheep is a Firefox addon that let's you easily (if you are both using the same open wifi network) highjack other people's sessions on sites like Facebook, Twitter etc. This works because those sites only use TLS selectively, and this would not be a problem for them if TLS was enabled site-wide.

So, in conclusion, the cons (such as added CPU use) are negligible with the state of current technology, and the pros are clear, so serve all content via SSL/TLS! It's the way to go these days.

Edit: As mentioned in other answers, another problem with serving some of a site's content (like images) without SSL/TLS, is that customers/users will get a very annoying "unsecure content on secure page" message.

Also, as stated by thirtydot, you should redirect people to the https site. And you can even enable the flag that makes your server deny non-ssl connections.

Another edit: As pointed out in a comment below, remember that SSL/TLS isn't the only solution to all your site's security needs, there is still a lot of other considerations, but it does solve a few security issues for the users, and solves them well (Even though there are ways to do a man-in-the-middle, even with SSL/TLS)

like image 87
Andreas Løve Selvik Avatar answered Sep 28 '22 05:09

Andreas Løve Selvik