Comment by Vasan Subramanian on "How important is SSL for a web app? Should we always use it whenever user sign-in is involved?"

My suggestion is to enable SSL for all pages. Reasons:

Pros:

It is a pain to manage a mix of SSL and non-SSL (plain text) pages on your site.
Google has starting giving better ranking to fully SSL websites.

Cons:

Your pages may be served/load slightly slower since there is extra processing required at both the server and client for encryption and decryption.

But, IMO, the performance impact is going to be very minimal. On the server side, if you have a load balancer (e.g., AWS ELB) it will deal with your encryption/decryption so your own server needs to do nothing extra.

On the browser side too, but for very old browsers / old mobile phones, it is unlikely a user will notice the difference.

So, unless your tests conclusively prove that non-SSL pages load significantly faster, and you don't mind sacrificing SEO or extra hassles for that speed, you should not be considering a mixed website.

Search Hashnode