Migrate to HTTPS?

I think that anything which encourages site owners to take security more seriously has to be a good thing, and implementing SSL certainly falls into that category.

Thinking about it. I'm still doubtful that HTTPS is suitable for everywhere and everything, as Google would like us to believe. For example we have some fairly hefty downloadables on our site - one of our products being roughly 50 MB in size. As caching proxy servers are generally unable to handle HTTPS traffic, clients would need to request this resource directly from our servers, and I'm not sure what impact this might have on site performance. We might try working around it by splitting the downloadables off to a separate domain, that we'd continue to serve using HTTP. One of Google's arguments for using HTTPS is that we should be ensuing what our clients receive is exactly the same as we are serving, but is it really an issue if our software is already signed?

We don't have the problem of any big files like that, but my biggest hesitation was I just didn't see the point of having additional overhead for every random Joe who comes in to read a forum thread from a Google search (and doesn't log in, etc.) We had already been using https for our registration, login, edit profile pages, etc.

What changed my mind were things like SPDY, which Google Chrome and other browsers are already implementing to make HTTPS faster than HTTP. Also, a better understanding of just how often proxy servers manipulate pages that pass through them.

Oh, also, another major hassle with switching to HTTPS on an ad-supported publication such as DaniWeb is that third-party ads aren't always HTTPS, and that gives the end-user warnings saying that insecure items are being loaded.

Well, I think this is another marketing strategy ! Good for security of the site but I don't think there are attackers seeing the forums daily to perform man in the middle attacks. I would say its good from user point of view but I really don't think that forums are vlnerable with.... come on ! Even attackers do need some place to take a chill out.

Going to SSL is a good thing in principle. As stated before as much as I appreciate where the web is heading this does spell the demise for alot of smaller hobby websites (ones which don't necessarily generate the revenue to afford the extra $100 a year for an SSL cert) and it also adds another cost factor for startups. Now granted some web hosting companies now offer SSL certs for shared hosting plans but a concern I have is that down the road this may become a "whoever can pay the most gets a better search engine rank" game. With varying levels of security with SSL, how long will it be until Google says that the guys with the $500+ certs should have a higher rank then the ones with the self signed certificates?

The other issue I have had is one you brought forth in a previous post Dani; how long will it take for analytics/webmaster tools to catch up in reporting to provide the same depth of analytics that we are used to recieving now? I dunno about other website owners but I like knowing where my traffic came from so I know which platforms to target the most.

Those are my views, but in the end when the bugs are worked out the web will be a better place. This is just a growing pain between point A and point B. We now also make an effort to educate our clients and prospective clients on internet security. By this time next year we hope all of our Clients will be setup on HTTPS.

I think any site that collects login information should be using SSL. Most people will repeat the same login information (username/email, password, and that specific pairing), between multiple sites. If you request this information from a user, you should be protecting it.

That said, my company's considering to switch over to all SSL presently. I'm curious what methods people are using.

EvolutionFallen, we have been using SSL for our registration, login, etc. pages for quite awhile now. We've been encrypting data anytime someone passes login information over the network and that type of thing. I simply switched all pages over to SSL just recently.

Sorry Dani, I didn't mean to imply you weren't doing so. I was speaking in a general sense, meaning it goes for anyone that isn't doing it.
So how are you doing it? Is it all mod_rewrite and/or 301 redirects?

Hehe no worries. Yes, just using mod_rewrite 301 redirects to redirect the non-SSL pages to SSL versions. Previously I was doing that just for a selection of pages. Now I'm doing it for all pages.

Awesome, thanks. That's probably what we'll end up doing. The site's on Magento though and there are some other inherent problems in moving that to all HTTPS, so we'll see what happens.

I think SSL is good only for e-commerce, social media and forum site because it is secured. On the other hand, I'm still thinking more Pros than cons of SSL in business websites.