Why Would I Ever Consider Putting SSL on Non-Transactional Pages?

Scott Rogers How-To

One question we often hear from our customers is why they might consider placing non-transactional pages under SSL.  It turns out there are very good reasons for doing so.

Advanced attacks can skirt the login

Starting all the way back in the 2000's criminals began to realize they could harvest usable data from user account sessions beyond the login page.  At the time the common practice was to secure the login page with SSL (preventing a man-in-the-middle attack from stealing a user name and password) and then grant the user account access in the clear.

Clever criminals begin using publicly available hotspots to harvest information from users logged into their accounts.  This method enables collection of personally identifiable information (PII) and the background information required for spear phishing and other social engineering scams.

The solution to this type of attack is Always-On SSL (AOSSL) or "SSL everywhere."  By placing all pages that require account login under SSL, this modified breed of man-in-the-middle attack becomes ineffective.

SSL improves SEO results

For years now search engines have been granting improved SEO value to pages secured with SSL.  Their reasons for doing so are that the search consumer has a safer experience on the whole and that by virtue of the authentication aspect of SSL, the site is more likely to offer authentic content from a real business.

As SEO techniques go, adding SSL is just about the easiest and cheapest option there is.  100% of the content you care about from an SEO perspective should be SSL protected.

Note that this same argument applies to landing pages for paid search.  Your AdWords bid price is affected in part by Google's assessment of the site's appropriateness to the search term.  More appropriate pages win the same position for lower prices.  A modified form of Google's search algorithm is driving this adjustment, and that includes the presence of SSL.  So to maximize paid search spending efficiency, make sure you include certificates for all landing pages.

Chrome marks all non-SSL pages as not secure

As we recently wrote about, in June 2018 Chrome began to mark all HTTP pages as not secure.  If left on your site, this negative trust indicator will decrease transaction completion rates, hurt site traffic, and damage your brand reputation.

SSL's compute/bandwidth overhead is irrelevant today

Once upon a time there was a very good argument against widespread use of SSL.  Encryption adds time to computing processes and requires greater bandwidth to transmit a given amount of information.  In the 1990's the common internet user's computer and available bandwidth were both limited enough that this difference was meaningful.  Since slower web sites experience greater abandonment and decreased transaction rates, businesses were motivated to employ SSL only where absolutely necessary.

Those days are past, however.  Today's internet user expects a data-heavy experience including streaming video, image-rich content, and near-instant response.  Our servers, our client machines, and the pipes in between are all built to serve these needs.  Compared to that, the encryption overhead is simply background noise.  On top of that, TLS 1.3 will decrease SSL's handshaking overhead even further.

In short, there is no noticeable difference between SSL and non-SSL sessions for your target user today.  So go ahead and put SSL on your pages.