

Ask HN: Put my entire website behind ssl? - rubyskills
http://www.healpay.com

======
rdin
We had some issues integrating 3rd party systems, such as the Twitter button,
which has had an invalid certificate for months now. If your site can live
without these bells & whistles, then you should investigate and see if your
site can take the performance hit.

~~~
rubyskills
Wow, I didn't think about twitter's button. :-/ We use the twitter widget.. Do
you know if the twitter js is behind a valid cert?

~~~
rdin
Unfortunately, it's been invalid for awhile. You can check it out for yourself
here:

<http://platform.twitter.com/widgets.js> vs
<https://platform.twitter.com/widgets.js>

~~~
rubyskills
Drat! Someone over at twitter should fix this. :(

Luckily, we don't use that js, we use:

<http://twitter.com/javascripts/blogger.js>

and I just checked the certificate behind this and it's valid (I should hope
twitter's main cert is valid!):

<https://twitter.com/javascripts/blogger.js>

and we use the json API:

[http://api.twitter.com/statuses/user_timeline/healpay.json?c...](http://api.twitter.com/statuses/user_timeline/healpay.json?callback=twitterCallback2&count=5)

which also happens to have a valid cert:

[https://api.twitter.com/statuses/user_timeline/healpay.json?...](https://api.twitter.com/statuses/user_timeline/healpay.json?callback=twitterCallback2&count=5)

So it looks like we're in the clear for this at least :)

------
trotsky
Are there any SEO or other indexing issues that crop up if you're only running
TLS?

~~~
mattgaidica
Encrypting site content increases server load, so response time may lack a
little.. and we all know Google does take that into account. Also, it might be
important that robot files and sitemaps are under the https protocol. I am
guessing Google is pretty darn smart about it, I can only imagine though that
a broken certificate throws a red flag.

~~~
rubyskills
Ha! Interesting.. I wonder if Google does count that against you since part of
their latest algorithm factors in page load times.. though I would think that
having your site behind https might give you some extra kudos somewhere..
considering you verified the integrity of your site at least.. (ALTHOUGH,
there was that recent security breach where we someone can spoof being a
CA...)

~~~
mattgaidica
Yea, I am sure there is some top secret Google magic if they are forced
through SSL!

------
rubyskills
Just noticed that www.mint.com does it too...

------
BallinBige
well, paypal does :]

~~~
rubyskills
Did it make you feel safe knowing that it went straight to https? I know
PayPal has a login screen on their homepage so maybe that is the reason they
make you go straight to https?

~~~
BallinBige
yes, warm + fuzzy

------
mattgaidica
No. I think the HTTPS in the browser prompts a user to think there is
confidential information being passed when your just browsing, so now your
break user experience. The app portion could be, and should be for any semi-
secret information, but keep the front-end clear of it. Plus any and all
external resources in-page must be https, it might hang you or a designer up
down the road and break your cert.

~~~
HerraBRE
I disagree. I might not spring for an EV cert in most cases, but using basic
encryption to protect against casual eavesdropping should be the rule, not the
exception.

~~~
mattgaidica
I am 100% with that mentality, I guess I just see the overhead and
understanding of HTTPS causing more problems in practice than solutions for
developers who are not security-centric. Think we'll ever see google.com go to
SSL?

