5

I'm planning on building an application wherein my users can create accounts on it, email other users, etc. The site will also have forums, chat, etc. It will also need to process credit cards. I'm trying to decide which parts of the site should be in https. Now I'm wondering if there are any problems with just having the entire site under SSL.

Any suggestions?

ServerFaultNewbie
  • 247
  • 1
  • 3
  • 8

3 Answers3

7

There will be some processing overhead to establish the SSL connection, but on modern boxes and lightly loaded web sites that probably won't be very noticeable.

If you have forums where users are posting images sourced from outside your website, people will see an SSL mixed content warning (your site is SSL, but there are assets that are not SSL). Depending on your user population, that may freak out some people.

cjc
  • 24,916
  • 3
  • 51
  • 70
  • 1
    +1 for the comment about mixed content warnings. – snap Sep 12 '11 at 11:51
  • @cjc - if I were to just have some parts of the site as secured (instead of trying to secure the entire site and have issues with mixed content warnings), any tips on best practices? Maybe I put all my resources (css, js, images, etc.) in secured folder? Then secured and unsecured pages can reference those resources. For the secured pages, I won't (hopefully) run into mixed content warnings? – ServerFaultNewbie Sep 12 '11 at 23:01
0

If you're handling credit card data, it's worth a read of the appropriate standards as well. You need to be PCI-DSS compliant. Wikipedia's got pointers to the appropriate documentation.

Chris J
  • 1,218
  • 18
  • 32
-2

Be reminder there is some tradeoff when using SSL.

It will increase the overhead communication which will somehow make your site get slower response. Also, your client need to have a SSL certificate in order to access your server.

Something which is important, sensitive data should be encrypted , like Login, credential information.

TheOneTeam
  • 167
  • 1
  • 6
  • 2
    Why would clients need certificates to validate? The original question doesn't suggest that this feature will be turned on. – cjc Sep 12 '11 at 10:34
  • 2
    -1. For 99.99% of your users, the tiny bit of overhead that SSL introduces will never be noticed. Additionally, if you run into server CPU load issues after turning on SSL, it's likely you have other issued to deal with as well. – EEAA Sep 12 '11 at 17:31