There has always been quite a lot of heated discussion around the question of when to use SSL and when to avoid it while building websites.
I have been asked this question a few times myself and finally thought that it would be good for everybody if I just wrote an article on it explaining what the big huff was all about.
Obviously if anyone has anything to add or if you disagree with me for whatever reason, then feel free to do so below at the end of this article.
What is SSL anyway?
SSL stands for Secure Socket Layer and was created to solve the problem of transferring personal information across from the user’s web-browser to the server and back. It is most common to use it when capturing buyers’ credit card details for processing to a payment gateway and for handelling login and registration information for secure areas on websites.
When to use it?
It is a best practise to only use it for the select few pages that handle sensitive information on a website, for example on an e-commerce site, it will appear for pages where the user/buyer has to login/register, enter their payment information upon checkout of their shopping cart.
Lots of developers have started to just build entire sites under the SSL(https) certificate, and this is alright on a non-verbose level.
There are a few reasons why you should rather refrain from doing this and only leave it for pages that strictly need the extra level of security.
Reasons to not run whole sites under SSL:
- Search engines used to not cache sites if they were under HTTPS/SSL.
They do these days, but just because Google does, doesn’t mean they all do! BEWARE! - The webserver has to work harder because data is encoded via SSL.
This is a bad thing when the server-load is very high or the server is experiencing a burst of traffic. - The requested file is ususally a bit bigger in size when run via SSL, due to that encoding once again.
- Third party scripts and iframes need to also run off SSL/HTTPS domains otherwise an alert error will be thrown to the browser telling of an unsecure element onpage, which will definitely scare away all the users that were just about to enter their credit-card details!
How to tell if a page is secured:
It’s really easy to tell if the page you are on is protected by looking at the address bar which will start with “https://” rather than just “http://”, notice the extra “s”, very important.
The other way to tell is by looking for the little padlock icon somewhere around in your browser’s interface.
As I have already said, if you have anything to add then feel free!