At one time, in the distant past as far as Internet years go, it was computationally expensive to use SSL (HTTPS) for websites. That's no longer the case and SSL certificates can be obtained cheaply or freely. Before I go on, I need to eat a little crow.
Encryption involving JavaScript isn't Secure
I've done a lot of testing, using various testing environments. I've used packet-sniffers, web browser add-ons and even home-brewed software to examine everything leaving or entering a web server. The results haven't been pretty.
Until recently, I advocated using JavaScript and PHP together as a form of security. All it really does is create a false sense of security. In order for any form of encryption to work, the JavaScript tokens (public or private keys) have to communicate with the server and that's where the problem lies. It actually can be done by using a combination of two-way and one-way encryption schemes, but it's a lot of work and that amount of work is probably better directed toward using SSL in the first place.
Free SSL Certificates and Cheap SSL Certificates
If you can't afford to buy SSL certificates, there are a few (very few) vendors who give away domain validation SSL certificates. StartSSL is one of them. They also sell cheap SSL certificates and I'm talking about cost, not quality.
If push comes to shove, you can create your own SSL certificates and they're known as self-signed certificates. The problem with self-signed certificates is that they're not very well suited for public use.
All Websites should use SSL Certificates
It's a strong statement even if it's not always feasible. Of course, there are exceptions and the exceptions are merely those websites where there aren't any login procedures or sensitive data to be passed. In other words, static websites where the pages are uploaded manually. How many websites do you actually visit that fall into that category?
Even WordPress, the software I'm currently using, can be forced to use SSL (although I think the option should be built-in). Of course, it can get pretty expensive to get a trusted SSL certificate for every WordPress-driven website you might manage unless you're using wildcard certificates for subdomains. And that's why there's another alternative.
The other alternative is to maintain current backups of your software and database data, just in case you get hacked (and I've been hacked before). How often you need to refresh the backups depends on how often your data changes. I like to do it daily, using my own custom database backup script, but something like that won't work for everyone.
SSL Speed and CPU Usage
It pays (so to speak) to keep up with progress when it comes to SSL. Why, way back in 2010, the case was made for overclocking SSL and SSL is just getting faster. Google started using HTTPS for Gmail by default and didn't have to dedicate any new resources to make it happen.
I've done my own tests and the difference in speed between a SSL and non-SSL driven website isn't worth mentioning. It really isn't. In reality, an SSL-driven website can seem faster when the bloat of any home-baked encryption schemes are removed. The only encryption necessary are one-way, salted and hashed items – things like passwords and the like – when stored in a database.
Similar Articles:
- Web Browser Security – Cookies and Sessions
- Unhackable? Nothing is Unhackable
- How to Detect if JavaScript is Enabled in PHP
- Writing Website Software Again
- How to Get a Free Single Domain Validation SSL Certificate
This article is published as: Why Websites should use SSL Certificates
Names containing keywords only may be deleted during moderation. If multiple names are used for the same website URL, those may also be deleted during moderation. Those retained will likely be changed to "John Doe" or "Jane Doe" as the name.
If you wish to leave anchored links within the comments -- you're allowed to leave one anchored link if you don't let a CommentLuv link appear