Recommendation: Company website forced to https?

Solution 1:

We run a few of our websites on HTTPS only, at request of company administrators who wanted to give out a "We take your privacy really really seriously" message, and apart from the need for a dedicated IP address for each site, we've never noticed any drain on our servers.

These are all low-traffic sites, maybe 1000-5000 hits a day, mostly from return visitors.

With HTTPS, you may also loose:

• Client-side caching (Caching HTTPS is usually considered a no-no, but if you explicitly specify an expires header some browsers will still cache it)
• Fast load times for dialup/high latency users (the HTTPS handshake is negligable for broadband, but quite noticable for dialup or people in Thailand)

If these things don't worry you (they didn't to our users or companies) then I say go for it - no point in arguing!

Solution 2:

If the website is accessible from anyone anyway there is no real point in HTTPS besides enabling it for the forms, since anyone can read the page anyway. On the other hand the impact HTTPS has on the Server is really low, especially if you are running some dynamic page anyway which is going to make the impact HTTPS has really unnoticeable. My recommendation would be just turning it on in the Web server, because there is nothing to rewrite really, if you ever get to a Situation where your server is going to need this little performance which is taken away by HTTPS you could turn it off, but you probably won't solve your performance issues doing it if there are any.

So in short just keep yourself from the hassle fighting about something like this and just turn it on ;)