What are the pros and cons of a 100% HTTPS site?

Question

First, let me admit that what I know about HTTPS is pretty rudimentary. I don\'t know much about session security, encryption, or how either of those things is supposed to b

Answer 1

You've been misinformed. The css, js, and image files need not be duplicated assuming you've set up the http and https mapping to point to the same physical website on the server. The only important thing is that these files are referenced with https when the page you're looking at is also under https. This will prevent the dreaded security message that says that some objects on the page are not secured.

For every other page where you're running the site under http (unsecured) you can reference those same files in the same locations, but with an http address.

To answer your other question, there would indeed be a performance penalty to put the entire site under https. The server has to work hard to encrypt everything it sends over the wire. And then some not-so-old browsers won't cache https content to disk by default, which of course will result in an even heavier load on the server.

Because I like my sites to be as responsive as possible, I'm always selective about which sections of a site I choose to be SSL-encrypted. In most typical e-commerce sites, the only pages that need SSL encryption are the login, registration, and checkout pages.