Hi everyone
Just a quick question. Are there any reasons why you wouldn't have your entire site defaulting to an SSL encrypted connection?
The one I can think of is if you're planning on pulling in remote images/scripts from a non-secure site. That would give you security errors.
But is there any performance reasons why I shouldn't?
A site I'm working on is an e-commerce subscription database and should all be self-contained.
Just wondered if there's any best-practice/performance issues which mean I should only use SSL when its needed to encrypt data between client and server
Cheers, B
Disadvantages to site-wide SSL?
Moderator: General Moderators
Re: Disadvantages to site-wide SSL?
The performance hit using SSL is actually quite high - on a site with a lot of traffic you'll really notice the difference. But on one that's not getting loads of visitors there's no good reason not to.
Re: Disadvantages to site-wide SSL?
Yeah I have noticed that many large sites (ebay, amazon) only use SSL when needed... when user credentials are being transferred etc.
I reckon I'll go for it on the main ordering and all the login-protected pages. But the general info pages I won't bother.
Then monitor the account load to see how I go.
To be honest this site will be dealing with max 2,000 subscribers and it's unlikely they'll all be using the site at the same time!
Obviously we would love to have so many subscribers that this becomes a problem though!
Cheers, B
I reckon I'll go for it on the main ordering and all the login-protected pages. But the general info pages I won't bother.
Then monitor the account load to see how I go.
To be honest this site will be dealing with max 2,000 subscribers and it's unlikely they'll all be using the site at the same time!
Obviously we would love to have so many subscribers that this becomes a problem though!
Cheers, B
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Disadvantages to site-wide SSL?
Eavesdropping is easy. Just find yourself a public WiFi and get started. Next you will see a bunch of session identifiers and plain-text password cookies on your screen. I just wish we could live in a world of no plain-text HTTP. By the way, SourceForge uses SSL all the way through their protected pages.