I think his point is clear enough. If someone doesn't trust the security
of a site enough to make a purchase using their card details, etc., then
they're not going to trust the site more just because all pages are as
HTTPS.
I recommend you to read carefully the content
of
That website is in several languages, English too.
To read just an article might be the same as to read just a thread in
alt.html....
So, to read just an article would not say to you very much, I am afraid....
I've looked through a fair few articles on that site, and I can't find
anything that concerns the sorts of security problems that you're
worried about. It certainly doesn't mention securing every single byte
of information that leaves a server.
Of course, it is possible that consumers in the USA would react in a total
different way.
But, I suppose that at least some people appreciate che a site is served
over https.
I don't think anyone would be feel more likely to feel secure knowing
that your whole site was served as HTTPS. I think most users would fall
into one of three categories:
1) Those who don't know anything about HTTPS won't notice any difference
(except that pages load more slowly), and so won't perceive any benefit.
2) Those who do know that HTTPS helps secure confidential information,
but still feel wary about giving their credit-card details online aren't
going to suddenly feel safer and decide to make a purchase just because
all the non-confidential pages are HTTPS as well.
3) Those who know quite a bit about HTTPS will know that there is no
rational benefit to all pages being served as HTTPS, and that their
confidential details are no more secure, and may also be suspicious (as
someone else suggested, I think).
Let´s put things this way:
1) If the user prefers to navigate on the website which are served over the
http protocol he can do that,
except for some pages which are served only over the https protocol.
2) If the user wants to navigate on the pages which are served over the
https protocol, he can also do it!
So, I do not see any disadvantage to serve a page over both protocols except
for some page which should be served only over https.
I'll try and summarise (as objectively as possible):
* HTTPS is designed to prevent hackers intercepting and retrieving
confidential information as it's being transmitted by TCP/IP. Therefore
it (or an equivalent scheme) is essential when it comes to a user's
personal information and payment details.
* HTTPS is not designed specifically (AFAIK) to prevent against
malicious TCP/IP injection. Anyway, the likelihood of this occurring on
a non-confidential page is miniscule. The amount of effort it would take
to intercept, block, and replace the TCP connection stream from your
server to the browser in real-time is huge.
* A malicious hacker or user is far more likely to target your server
itself, either by hacking directly, or by exploiting security holes in
badly-designed scripts. HTTPS has nothing to do with this. The security
of your scripts deserves far more attention than securing transmission
of non-confidential information.
* HTTPS-served pages take longer to load, slowing down the user's
browsing experience.
* HTTPS prevents page caching, reducing the navigation usability of your
site.
* HTTPS may bring up "this is a secure page" pop-up in some users'
browsers, slowing them down, confusing them, and possibly scaring them
or arousing suspicion.
* Most users won't understand the implications of the whole site being
served as HTTPS, and therefore will perceive no benefit.
* Offering a user a choice of HTTP or HTTPS on arriving at your site
will probably confuse them, and is irrelevant for what they're trying to
find.
Please understand that no-one is criticising you on your aim to improve
security, it's just that most people here think the approach you want to
take is missing the point somewhat.
Oli