Joe wrote
I want it to be a successful project, but I'm very conservative when it comes to security on my servers.... (Well, everything on my servers, really).
That's the spirit. I'm conservative about anything that touches my code/my work, let alone production servers.
But yeah setting up SSL is painful. I've done it once for Apache, using a website that offered free 1-year certificates, spent about half a day doing things that I barely understood. When the time came to renew it, I thought I'd buy a certificate from GoDaddy instead, maybe that would come with clear instructions and would be easy to set up. Naw, it was worse, and I think that it's not properly set up at the moment, but I'm just pretending that I forgot about it, as long as nobody is complaining.
Terrible, I know, but hey it's hard to be a developer, a sysadmin, accountant, and all that at the same time, on your own, that's why I'm kinda avoiding freelancing.
Jadcham wrote
Everything on the web should become https.
Like who needs caching, application-level firewalls. Let's just have a big fat SSL tunnel and pump everything through that and everyone else can get lost!
Seriously though, without lacking respect or anything (no offense meant), moving everything over to SSL would pose a performance problem.
Also SSL can offer a false sense of security. If I remember well, there was an instance where ISPs (in Egypt) used a root certificate to secretly snoop on users. It was unveiled and things have been put in place to try to avoid that in the future, but that is one case where HTTPS would have provided a false sense of security to users.