SSL all the time?

I am planning on starting a web application that runs on Node.js. The app will uses an authentication scheme similar to most existing apps. Every interaction will be done over SSL while the user is logged in. I was thinking of having two subdomains for this purpose - the regular www.example.com domain for information about the product and a secure.example.com domain for the “members-only area”. Many sites take this approach. However, I was wondering if it wouldn’t make sense to encrypt all traffic on the site even when it isn’t necessary (the user isn’t logged in).

For one, Node.js makes it surprisingly difficult to do the split domain thing. Not that that is a huge issue—I will figure it out eventually.

More importantly, the product is of such a nature that a large deal of trust is required from the user. Seeing the green address bar will likely be comforting to new potential users. I realize that SSL does not equal security but in many user’s minds it does (which is obviously a bad thing).

What are the downsides to requiring SSL across an entire site? From what I’ve read performance is no longer a major issue. Any advice?

Ah, I see. Thanks for your help. I think I am going to go with an all SSL solution then.

I wouldn’t see any problems with this. Like you said, the days of SSL being a performance overhead are gone.

While SSL != security it is of course helping to secure traffic between server and client.

There is also nothing holding you back from serving both http:// and https:// on the same domain, since the only requirement for a certificate is a unique IP. You could serve everything over http until you require authentication / data from the client, at which point you could swap over to https.