Should I use SSL on all web pages or just some account pages?
My user account and login pages are SSL, but the rest of my site is not. Wh开发者_开发知识库at bebnefit is there to switching between the two as I am doing vs making the whole site SSL?
There is an overhead to using SSL, although in reality it may not cause a concern - as pointed out in this SO question.
You can minimise what overhead there is by only using SSL for those transactions where it adds value - i.e. where you want to ensure the confidentiality and integrity of the data in transit. In many cases this is only the case for username and password details, however there may be other transactions where you also want these features.
in general, once logged on, a session-id is passed between client and server. if this cookie is sent in clear text (as with non-ssl requests/responses), it can be sniffed and used to enter the user's account without having to log on (session hijacking attack). this is why google recently enabled 'always on https' for gmail.
Use ssl on pages where you ask user to submit his credit card number, for example. Don't overuse it without enought reasons.
精彩评论