Using SSL to secure all websites may seem like an odd choice; most websites contain no "nuggets" worth taking, SSL apparently slows the page load time (especially on over provisioned hosting platforms), and it's not clear if doing so will mess up any search engine optimizations.

Back when I worked at the Bank, I tried to advance the idea that every page should be SSL protected but some of these same arguments were thrown back to me – “why does it matter if we don’t encrypt the communications when someone looks for ATM locations?” or “this will totally throw off our gomez rating”. I swear that Gomez is law-of-unintened-consequences responsible for why the majority of banks proffer the less-secure practice of placing the unencrypted login page on their main home page — they can do so without compromising the load-time of their website when measuring the speediness of their own website against those of their peers. It’s nice to see that some companies are coming around and enforcing the use of SSL for their entire website.

The reason why I like that this blog uses SSL is simple and at one of my core philosophies — what you do on the internet should be your own business, and web sites should help you maintain this level of confidentiality. Even if every website used (and protected) their own self-signed certificates, users could still benefit from the knowledge that whatever they were doing on the website was not visible to others. Of course, everyone would have to click "OK" on the certificate error pages, but that behavior already seems well established.

As much as I am for doing this on my own blog, I also administer content-filtering for a medium-sized financial services company -- protecting every website with SSL would render the bulk of most content filtering applications to simple IP-based rules, or cause management to implement transparent proxy technologies which would result in really important SSL-protected traffic being visible to a handful of employees (for which I would not subject myself or my staff to that liability). Additionally, content-filtering systems would likely fail to address large hosted environments with shared IP addresses.

So - toolsets would have to evolve to address a new "always confidential" internet. This includes Google AdWords, which has yet to support SSL websites. Google Analytics still works - but that's a privacy issue, and not a confidentiality one. :)

Return to the top of 'Why SSL?'.
Send Feedback