Should all sites use SSL by default?

Question

We are in the process of moving our web architecture to a new environment. Included are dozens of different sites ranging from almost completely static to dynamic sites requirin

Answer 1

This first thing to ask yourself, what does SSL buy you? It buys you the assurance that no one and no application can "sniff" the traffic and see what is going between the web-server and the browser. The cost is the real cost of purchasing an SSL certificate, and the on going cost of a slight increase in download speed. You mention that older browser have trouble downloading files over SSL communication. I can not speak to that, and I wouldn't concern myself too much with that. From a security stand point, you have another concern. Modern firewalls monitor traffic looking for various hack attempts. SSL prevents the firewall from monitor that communication, so the application developer / web-admin needs to be even more concerned with protecting their application and sites from various hacking attempts. Long story short, one should only encrypt communications that truly need it.