Towards Blanket SSL

By Deane Barker on March 10, 2012

Should All Web Traffic Be Encrypted?: I find it tough to fault this.  I’m beginning to think, as Jeff is, that blanket SSL wouldn’t be so bad.

[…] maybe encrypted connections should be the default for all web sites. As tinfoil hat as this seemed to me a year ago, now I’m wondering if that might actually be the right thing to do for the long-term health of the overall web, too.

The problem comes when you switch back and forth for particular pages.  We’ve built this functionality several times in at least two content management systems, but it introduces overhead on every request to determine if this page should be encrypted or not.  If the user needs to switch modes (between SSL and non-SSL), then that eval and redirect probably introduces more overhead than just going full SSL for everything.