Note: This post was written a few years ago and imported to this blog. While it's still true, some new things are left out. For example HTTPS helps with Google SEO now.
I recently saw a post on the NearlyFreeSpeech.net forums where the person had SSL certs installed for their site, but they didn’t think they needed to have it for all of their visitors.
[F]or the vast majority of my visitors, all I would be doing is encrypting content that’s on all the search engines already. There are no useful cookies to steal and the content is boring.
He also expressed concerns about SSL being a performance hit and that the increased impact on performance would cause NearlyFreeSpeech (NFSN) to have to increase prices to account for this.
I know that SSL is a performance hit and NFSN have said specifically that general overuse of SSL would make the infrastructure more expensive (which of course impacts all of us at some point).
I assume this is still true?
Here is my response, because it turned out pretty big and in-depth:
Google, Twitter, and Facebook have all shown that the performance hit of SSL is basically negligible even on a large scale. There is no such thing as overuse of SSL on normal sites.
If you have any content on your site that needs to be encrypted, you are doing your users a disservice by having any part of your site decrypted. This is because of SSLStrip, as explained by Troy Hunt.
The problem is, almost any scenario where someone is vulnerable to a MITM attack, they’re not only vulnerable to sniffing, they’re also vulnerable to manipulation. The ubiquitous example is cafe WiFI, someone sitting around on their laptop with a hacked wireless card. That hacked wireless card can not only sniff, it can almost definitely inject too (you can get one for $20 on ebay).
SSLStrip makes everyone’s computer talk to the hacker’s computer using his hacked wifi card instead of the router, and then his computer forwards the requests on to your site and returns the content they expect, modifying it in the middle. This happens almost entirely automatically, you don’t have to filter for example.com, you can MITM everything if you want. You can buy a ~$100 device called a Pineapple that will do it for you from a helpful web interface, you can plant one in every Starbucks in the city with a small budget and know the passwords and CC info of everyone.
So one of your users who does need to access a secure form (eventually), pulls up http://example.com. He sees a link for what should be https://example.com/login. However, SSLStrip modifies the link to be http://example.com/login. If their browser is vulnerable to an IDN homograph attack, the hacker can use tricks to make the address bar look like https://example.com/login?!f.ijjk.cn This is a real exploit and it gets sent with a legitimate SSL certificate.
No one notices because lolsecurity, amirite? There’s no feedback that the page is being hijacked other than the address bar, and if the attacker does it well the page gets the SSL padlock and a little gibberish in the URL. So they put their credentials in and they get owned. Or they’re already authenticated, you do have your cookies set to only be sent over secure connections, right? If you don’t, the attacker now has their cookies, game over. If you do, they just get sent to the login page, where they put in their credentials and get owned.
So to protect your users who need security, you really have to protect everyone, or train those users really well in security and hope they don’t lapse and tell them to never access your site via HTTP.
So for the rest of your users, do you need to protect them with SSL? Probably not. However, this is similar to the “I’ve got nothing to hide” argument. We know that governments, ISPs, and script kiddies in cafes can and do see what you browse. So why should you worry about people knowing what you and your users browse? I defer to people who’ve written excellent arguments about why you should care about privacy even for innocuous things.
This is why you should always browse through a secure VPN on insecure networks (protecting yourself from HTTP sites). Then use a plugin like HTTPS Everywhere so that if a site offers HTTPS but doesn’t default to it you use it always.
Your sites should have HTTPS and send an HSTS header so users don’t access the site over an HTTP connection on subsequent connections. Then you should get your site in the HSTS Preload list for the major browsers, so if they type http://mysite.com but they’ve never been to the site before they get redirected. (That list linked is shared with Safari and Firefox)
I know this seems paranoid, but if you’ve already gone through the steps to have SSL available on your site, there’s really no sense in not enabling it for everyone. The cost really is negligible, and the benefits outweigh them easily.
The only exception is if you want to support really old browsers, like IE on XP old, you’ll have problems with the some implementations like NFSN’s that use SNI (multiple SSL sites on one IP address). You can find a list of supported browsers here. There are htaccess snippets available that will workaround these browsers if you need to support older browsers.
For an in-depth explanation of SSLStrip and the IDN homograph attack, see this Black Hat presentation.
Moral of the story: Use SSL. It’s easy and inexpensive.