Should you use SSL on all websites

Should you use SSL on all websites

Recently a number of search engines (led by Google) have indicated that SSL should be used as standard on all websites, even those not necessarily collecting financial data. This means that all users will establish an encrypted connection with the web server, and all traffic will be encrypted.

There are some problems that can arise from using SSL,  since it can disable network-level caching. There are workarounds to this but it can mean that multiple computers in the same network have to re-download page resources. This can increase network load at both ends. Browser-level caching is not an issue in modern browsers.

On pure performance, the symmetric encryption and integrity check on tunneled data is not very expensive; if your server cannot encrypt and decrypt at network speed, then either you have God's own optic fiber, or you should think about replacing those i486. However, the initiation of a SSL connection, known as "handshake", is a bit more expensive, and may imply a performance bottleneck on heavy loads (when there are hundreds of connections per second, or more). Fortunately, a given browser instance will reuse tunnels and SSL sessions, hence this is not a problem if you have only a few dozen users.

Overall, putting SSL everywhere looks like a way to get a "warm fuzzy feeling" on security. This is not good. This usually means that by concentrating on the irrelevant, administrators will be more likely to disregard actual security issues. They will also make the system more complex to maintain, making it more difficult to diagnose and correct problems. Note that from the administrators point of view, this makes their job more secure, since it increases the cost of firing them and replacing them.


Latest Tweets
Contact Us
  • Address: 377-399 London Road,
    London, GU15 3HL
  • Phone: +44 (0)201 844 2990
  • Email: hello@trustbase.com
Say Hello

© 2017. TrustBase® is a registered trademark of the International Charter.