Where does the Winhost community stand on the side-jacking threat imposed by FireSheep? There is a discussion that with the current multi-core processors running the servers, that it is not an issue to have SSL on for every page.
Yes, but let me explain. If you have FireSheep installed on your laptop and in your in a unprotected WiFi network area, you can watch all of the traffic both ways between the server and the client. Originally, FireSheep was just a hack on the Mozilla browser. But technology is continuing forward. FireSheep can do every browser now. I watched a webnar today and they were saying that you have to run SSL for every page and on every cookie. The webnar point was -- given the tools in our modern world, even a casual user can be a sophisticated hacker. OK he/she may not have a sophisticated plan to launch a cross-site script attack on your website, they can still mess things up. Understand also, SSL is not the only issue for security. The good news (published by Google) with today's dual-core processors they don't really have enough to do just being a "file server" so the changes for the web host is "negligible". Also, who else has switched to 100% SSL? FaceBook, Twitter, Google mail and MSMail not to mention the banks and the top F500. Can we do every page SSL?
Its really a question of the userbase. The facebooks of the world have millions of un-savvy end users. One "coffee shop incident" - and the story on CNN that night is how unsafe your bank account is if you use facebook Its a PR issue for them. So the question is what is your site doing and what does your user base look like. If your site deals with medical records to doctors that use the site, on an open wifi connection. SSL on every page is a good idea If not, and in my personal opinion, its better to spend time thinking about other things. Packet sniffing (although always a 'sexy' topic) of any sort is much more rare than SQL injection attempts or brute force attacks to sites and FTP. By far the most common issue we see is virus's on developers computers that steal their passwords to site/control panel/SQL/FTP/ETC. Why? Because they do more than just develop on their computers. I have yet to hear a of a single incident where a customers, end user, had traffic picked off. My 2 cents. YMMV
Absolutely right. I'm all for security measures - I always operate in paranoid mode - but I'm also of the opinion that if you have someone sitting outside your house in a van analyzing your Internet traffic, you have a bigger problem than a possibly compromised web site. And Gmail, Facebook, et al do not force SSL-only connections. They offer them as an option. Server-side as a global thing that we "switch on," no. But you can use a redirect to force all requests to https. It's the same as forcing www (or forcing no-www).