SSL, or Secure Sockets Layer technology, is one of the most widely used security protocols present on the Internet today, but like all technologies, it isn’t without its own set of flaws. SSL in itself is considered an effective security measure and is difficult to circumvent directly, but its limitations prevent it from being used universally. If SSL was able provide security with a relatively low cost, it would replace the standard unsecured http protocol nearly everywhere; unfortunately this is not the case.
Performance and speed
The first and most plainly notable cost to encrypting a webpage with SSL is the connection overhead; the added security and extra steps taken for verification take time that, even with modern connection speeds, adds substantially noticeable latency to the user’s connection. The exact values depend on the speed of the specific web server in question and the quality of its connection to the user, which vary significantly on a case to case basis. However it is generally agreed that the difference in performance is great enough that a non-technical user can distinguish between a secured and unsecured form of the same site if the connection quality remains the same.
From an economic standpoint, another one of the major drawbacks to utilizing SSL, especially for self-hosted or self-maintained websites, is the cost associated with acquiring a reputable certificate. A user’s trust in an SSL connection is based on their trusts in the organization issuing the certificate; thus, it can be very costly to acquire a certificate from a well-known source. Wondering how to get the best SSL certificate?Getting the best certificates (e.g. the most well known/reputable) requires nothing more than paying extra, but buying one for a small site can outweigh the advantages of security.
Securing multiple domains
The cost of certificates can be mitigated by using one for more than one domain name (website), but this requires a special type of certificate that can secure multiple domains with a single SSL certificate, which is expensive to begin with. Spreading SSL over this wide a system can reduce how secure it is as well; we’ll come back to that.
Of course, there are alternatives to buying an expensive but reputable certificate, but these come with their own limitations. You can sign your connection yourself (e.g. with a certificate you have created), but doing so will give all users a warning that although the connection is secured, it has only been signed by you, an authority that isn’t widely recognized. This can help keep your site secured without the cost for users that are aware of your organization, but can also scare away users unfamiliar with technology or who have never visited your site before.
On the plus side, once set up properly, SSL itself is as close to completely secure as the practical world comes. Circumvention of a website that has SSL is usually related to a part of the website not being secured, or data being left in an unsecured location due to careless design that allowed the secured portions of the site to be breached. Since SSL is not completely secure and can be defeated by these types of errors, it is safer to secure only the parts of a website that require a secure connection (while making sure not to leave any out); attempting to secure too wide an area, or multiple domains, makes it easier for an intruder to poke a hole through the security.