Should all sites use SSL by default?

Question

We are in the process of moving our web architecture to a new environment. Included are dozens of different sites ranging from almost completely static to dynamic sites requirin

Answer 1

I don't think that you should SSL all your sites and definitely you don't need to buy certs for your dev environments. If you want/need an SSL certificate for dev it can be easily generated and that in most cases would be enought for that environment. The other possibility is that you can buy a wildcard certificate and set you dev servers in one of the subdomains, this way you can have the same certificate for both environments but again: it's a waste of money if you buy wildcard certificate (which are more expensive) just to have dev work on it as well. It makes sense if you have multiple subdomains on prod that needs to be SSLed.

As for the speed: yes it's a bit of a problem but not that significant. SSL responses are not cached so using them will increase your servers load a bit but I think this is the part that admin should be aware of.