security - SSL on entire site or just part of it?

Question

I have a site... let's call it mysite.com. On this site, there's the sign up section which I think should be the secure part of this site.

a) Should I enable ssl on the entire site, or just the sign up part (e.g. signup.mysite.com) b) What are the pros and cons of enabling it for the whole site?

Answer 1

It depends on what your site serves. If the data it serves is sensitive, then providing a full SSL encrypted connection is a bonus.

But, as others have mentioned you will eat your bandwidth. SSL encrypted data, be it images, HTML pages or other information is not (supposed to be) cached on the client, so every time the user restarts the browser the files are downloaded again.

I would agree with Vinay, provide signon/signup over SSL and then fall back to normal HTTP, then see.

The other approach may be to provide all your static content over HTTP while all the sensitive content over HTTPS (e.g. if you use systems like ExtJS then the pages are static files and the data is all retrieved via AJAX).

Of course, if you're serving sensitive information (e.g. banking information) where the data itself is always sensitive then go full SSL and eat the costs.