When to use SSL (HTTPS) and when not to?

[random1]

Hey All,

 

I'm currently considering using SSL (HTTPS) on my server for every page visit.

 

The reason I'm considering it is that I want to protect data regarding to the user's shopping cart, order and personal info.

 

Is this a bad idea?

 

Should SSL only be used "when checking out and paying" or is it best security practice to use it all the time?

 

Also do some devices not support SSL? Such as the iphone or other mobile devices?

[andrewgauger]

The reason sites seperate http (browsing) and https (secure) is to conserve processing resources.  There is no need to secure the information showing the users the content that everyone is allowed to view.  There is no reason NOT to secure the cart (get a certificate trusted by everyone such as verisign so people don't think your site is malicious). 

 

Don't make the server and the client negotiate SSL until the user is ready to check out.

 

There is always limits to what mobile devices can handle, and the only way to find out is to test it out yourself. 

 

Self signed certs (where the web server is also the certificate server) will break the function of an iPhone.  If you get the cert from Verisign then the iPhone will work.  Blackberry, android, et al need to be tested as there is no guarantee for what will work, just know that there are some serious limitations in the mobile web.  Which is another reason to separate http and https (limited functioning browsers can at least view the inventory and therefore allow the user to make a decision if it is worth logging in with a desktop.)

[random1]

Awesome detailed response. Thanks