Should all sites use SSL by default?

Question

We are in the process of moving our web architecture to a new environment. Included are dozens of different sites ranging from almost completely static to dynamic sites requirin

Answer 1

In another response to Thomas answer, especially since it is on top.

Also, further down I linked a white paper with best practices for SSL.

SSL prevents caching, not only from browsers but also from proxy servers. Every web page element will have to be sent by your main server, again and again. This increases network load.

Only partially true. SSL will prevent proxy caching, but not browser caching - also see the answers to this question. Not a big issue in my opinion.

SSL prevents usage of so-called "virtual domains". [...]

This is partially true. However, virtual domains will work fine as long as you have only one certificate. Even if you not, Server Name Indication (SNI) should be a viable alternative (or should be, once Windows XP is off the face of the planet).

[performance] However, the initiation of a SSL connection, known as "handshake", is a bit more expensive, > and may imply a performance bottleneck on heavy loads (when there are hundreds of connections per second, or more). Fortunately, a given browser instance will reuse tunnels and SSL sessions, hence this is not a problem if you have only a few dozen users.

Even the handshake should not cause any performance issues on the server side if you have modern hardware. The main reason of the handshake being "slow" is due to the fact that network packages need to be sent back and forth a few times between the server and the browser - computational power has little to do with it.

To put it another way: Setting up the SSL connection will be an order of magnitude cheaper than rendering a PHP page which fetches data from a database.

Overall, putting SSL everywhere looks like a way to get a "warm fuzzy feeling" on security. > This is not good. This usually means that by concentrating on the irrelevant,

NOT TRUE AT ALL. Either you don't need SSL at all on your site, because it's completely public content. Or you do need SSL for some reason (user logins, protected areas). In that case, the best practice is to put it everywhere.

Having SSL only on parts of your page can open you up to all kinds of obscure risks. And while you can find and mitigate those in other ways, is will be more complex, error-prone and time-consuming than just having SSL enabled on all pages.

I have found the this white paper on SSL. I'm not affiliated with the company that authored it, but I found it a very concise summary of all the things that you need to keep in mind when deploying an SSL setup.

That security has more than one component goes without saying. But already getting the first wrong is not a good start.