I know that SSL should be used on web servers that need to gather credit card information etc..however, is it industry best practice to also turn on SSL even for non critical web servers? eg those only used for static browsing, or those that just require a simple login and password , that's all.
Would like to hear your comments. thanks
The cautious strategy would be to do SSL everywhere, then think about switching to non-SSL for some pages if (and only if) performance issues arise, that would be likely to be fixed with absence of SSL. Not using SSL means that passive attacker can see all the traffic, and active attackers can modify at will all the non-SSL parts, which can have deep ramifications. Thus, this is not something that should be done lightly. Mixing SSL and non-SSL content within the same page also tends to produce browser warnings or breakage, so doing partial SSL can be challenging.
"Performance issues" that may plausibly arise in the presence of an all-SSL world are about caching; with SSL, transparent proxies that cache data requests as they go, without clients being aware of it, can no longer work. Big ISP are quite fond of transparent proxies. On the other hand, "performance issues" that come to the mind of most sysadmins (namely, the "obviously" huge overhead of encryption) are, in fact, mostly mythic.
The industry practice is of course completely different. The industry, at large, goes without SSL, then adds it only reluctantly, long afterwards, for only some pages, and only after having spent all the excuses about how attacks on non-SSL pages are not their problem since they are client-side. For some reason, many sysadmins think about switching to SSL with the same mindset as an hardcore environmentalist that considers replacing a coal power plant with a nuclear one.
In August, Google announced that it was giving a small boost in search rank to sites that used SSL.
...Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
So Google is suggesting and encouraging web site operators to make it an industry best practice.
When deciding on SSL or not, remember it's more than just confidentiality:
In some cases, having the data changed outside your knowledge may be as damaging as leaking a secret.
The SSL handshake does take a few round trips between browser and server. If you need to go for SSL, you may need to put some extra effort in other parts of the web site to make up for that performance penalty.
Depends on what data is going to be passed between the client and the server. For example, you will definitely need SSL for user login. I generally use SSL for everything that is online. My rule of thumb is, if data is passing through an open medium then use encryption.
