Should all sites use SSL by default?

Question

We are in the process of moving our web architecture to a new environment. Included are dozens of different sites ranging from almost completely static to dynamic sites requirin

Answer 1

So I've seen some fantastic answers to this question, but after a few days I saw that there are a few things missing. Therefore, there are a couple of things I want to mention:

Why Use SSL on Everything

• Security - If only a few pages are SSL encrypted, it's easier to "sniff" out which pages contain sensitive data. Now SSL is pretty goddamn safe, so this isn't something to worry about, but in the case that your private key gets compromised, it's good practice to have that additional layer of security so that it's harder for the bad guys to get at the juicy stuff.
• Trustworthiness - There are people who argue that when you visit a site that has a verified certificate, it is easier to trust. Since a verified certificate costs money, it's easier to trust a site knowing that the owner invested in a symbol of trust.
• Hassle - Blanketing everything under SSL is just so much easier. All you have to do is chop off the http: at the beginning of every resource link and you're good.
• SEO Configuration - You won't have to bother at all with SEO configuration. I've heard that search engines index http:// and https:// as separate entries, so for consistency (in both SEO and page behavior), blanketing SSL over everything and just setting up a 301 redirect seems like a nice easy solution.
• Consistency - You'll have a much more consistent website if you just https:// everything. Lots of frameworks break when you try to do a hybrid of SSL and non-SSL. On top of this, URL-dependent plugins and code will be really mean if you try to bounce back and forth between http and https.
• That Fuzzy Secure Feeling - You have to admit, that little green bar on the top left that says "verified domain" just is a damn good feeling.

Why Not SSL Everything

• Speed - SSL is slower. Not by much, of course, and most of the time the cost is negligible. It's an unavoidable fact, however, that SSL will always be slower.
• Browser Compatibility - This is probably negligible, but if you want to support really old browsers that don't cache over SSL, you'll have to stick with port 80.
• Plugins - A bunch of plugins don't work correctly over SSL, so you'll have to be careful of that. If you ever want to add a new plugin, you'll have to reconfigure your SSL settings or look for another plugin.
• Professionalism - Now although some people argue that seeing a verified SSL domain seems trustworthy, others view it as a very amateur and lazy solution. In fact, it's really easy and cheap (cost me about $10) to get a verified SSL certificate that hits up to 96% of browsers!
• Hassle - So I did say that it's easier to SSL everything, but at the same time you're going to have to make sure every resource is loaded through https:// (or do the http:// -> // quick solution). It can be a bit tedious if you have a bunch of links or even incompatible if you have user-submitted content hosted on a site that doesn't support SSL. In those cases, your browser will whine at you. If you've ever seen that notice that says "this page has insecure content", you'll know how annoying that is and how bad that looks.

So in short, it's really situational but I tend to avoid blanketing SSL. Sure, it does take a bit more configuration but in the end you get a much more flexible system. I personally think the whole "professionalism" thing is bullshit (Twitter and Google SSL everything). However, if you have externally hosted content or user-posted content, it's usually a really bad idea to SSL everything. You might also begin SSL-ing everything and run into a bunch of troubles.

But that's just me. :D