Using SSL Across Entire Site

Instead of just having a few select pages for HTTPS access, I was thinking about just using SSL for my entire site.

What would be the drawbacks to this?

Edit Aug 7, 2014

Google now factors in HTTPS for rankings, so you absolutely should use SSL across your开发者_如何学Python entire site:

http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html

It is highly recommended these days to run the entire site on TLS (https that is) if possible.

The overhead concern is a thing of the past, it is no longer an issue with the newer TLS protocols, because it is now maintaining sessions, and even caching them for reuse if the client drops the connection. In the old days this was not the case. Which means that today, the only time you have to do public-key crypto(the type that is cpu heavy) is when establishing the connection. So there isn't really any drawbacks when you have a cert anyway. This means that you won't have to send people back and forth between http and https, and the customers will always see the lock sign in their browser.

Extra attention has been drawn to this subject after the release of Firesheep. As you might've heard Firesheep is a Firefox addon that let's you easily (if you are both using the same open wifi network) highjack other people's sessions on sites like Facebook, Twitter etc. This works because those sites only use TLS selectively, and this would not be a problem for them if TLS was enabled site-wide.

So, in conclusion, the cons (such as added CPU use) are negligible with the state of current technology, and the pros are clear, so serve all content via SSL/TLS! It's the way to go these days.

Edit: As mentioned in other answers, another problem with serving some of a site's content (like images) without SSL/TLS, is that customers/users will get a very annoying "unsecure content on secure page" message.

Also, as stated by thirtydot, you should redirect people to the https site. And you can even enable the flag that makes your server deny non-ssl connections.

Another edit: As pointed out in a comment below, remember that SSL/TLS isn't the only solution to all your site's security needs, there is still a lot of other considerations, but it does solve a few security issues for the users, and solves them well (Even though there are ways to do a man-in-the-middle, even with SSL/TLS)

It is a good idea to do this if possible, however you should:

• Serve static resources (images, CSS, etc) from plain HTTP to avoid the HTTPS overhead.
  (Don't do this or you will get warnings about "insecure resources").
• You should also redirect the HTTP homepage to the HTTPS version so that users do not have to type HTTPS to access your site.

Drawbacks include:

• Less responsive browsing experience - because there is more back and forth between the server and client with HTTPS vs HTTP - the amount this is noticeable will be dependent on the latency between the server and client.
• More CPU usage on your server - because every page has to be encrypted instead of just the select few.

Server side algorithms for establishing SSL connection are expensive, so serving all content via SSL requires more CPU power on the back end. As far as I know that is the only drawback.

SSL was not designed for virtual hosting, especially of the elastic cloud type. You may face some difficulties if you cannot control the host names of the web servers, and how they resolve to IP addresses.

But in general, that it is excellent idea, and if you allow users to login to your site, almost a necessity (as shown by Firesheep).

I should also add what I am trying to do. I would like to allow social service logins (like FaceBook), but we will also be storing credit card information

For the pages where the user can review his credit card information, or make financial transactions, better shift into a more secure authentication mode. Facebook is a big target, and attracts hackers. If someone's Facebook account gets hacked, and they can then spend money or gather credit card info from your site, that would not be good. Accepting social service logins for non-critical stuff is fine, but for the more serious parts of your site, better require additional passwords.

It is highly recommended these days to run the entire side on TLS

It's highly recommended by some people.

1. The total number of users your system can support is gated by either the CPU demands or IO load; if you are up against the CPU, TLS makes it that much worse.
2. Encrypting the traffic makes it impossible to use certain kinds of diagnostic techniques.
3. Most browsers will give your user a warning if you load any non-encrypted files. Which can be a huge problem if you are trying access third-party resources.

In some circumstances (e.g. a lot of money at stake), it makes sense to just bite the bullet and encrypt everything; in others, the odds of an attacker intercepting a packet in flight and deciding to hijack the session are so low and the amount of damage that could be done is so small, you can just go bare-back, as it work. (For example, this session, the one I'm using to post this answer, is unencrypted and I really, really don't care.)

For still other cases, you may want to offer your user a choice. Someone using a hard-wired connection in his own basement can make a different situation than someone using WiFi at the Starbucks across from a Black Hat convention.

I'm working on a protocol and a library to let you sign XHR requests. The idea is that the entire site would be set up as static files of HTML, CSS, and JavaScript, which would be loaded from a CDN. The actual application would be conducted entirely by JavaScript making AJAX and COMET requests. Any request that has to be authenticated is, but as a practical matter, most requests do not. I've done several sites this way -- they're very, very scalable.

We run a fully forced, secured website and shop. I've done this on the advice of a friend that knows a thing or two about website security.

The positive is that our website doesn't seem noticeably slower. Also Google Analytics runs although I can't get ecommerce to work. If it protected us against attacks I can't say offcourse but until today no trouble.

The bad thing however is that you will have a very hard time running Youtube and Social ("Like") boxes on a secured website.

Tips for good security:

1. Good webhost (they will cost you but it's worth it!)
2. No login for visitors. It kills usability but with a fast and easy checkout it goes and the obvious pro is that you simply don't store sensitive info.
3. Use a good Payment Service Provider and let them handle payment.

*2 I know this won't go for a lot of websites but "what you don't have, can't be stolen". We have been selling on our webshop without login for 2 years now and it works fine as long as the Checkout is Mega simple and lightning fast.