When is it appropriate to use https?
I would argue it's always appropriate to use (or at least offer) SSL/https, and it's mandatory to use it when passwords, payment information, Social Security Numbers/other personally identifying information is being transmitted. It has an overhead, but in my eyes, the cost is always worth the benefit.
This is just my opinion, of course :-)
HTTPS usage is pretty much mandatory if you want to transfer anything sensitive, such as login information or other personally identifiable information (unless such data is your whole point to exist, like Facebook or LinkedIn).
More broadly, there are a variety of competing drivers for whether or not HTTPS is a good idea.
- By encrypting everything, no one can watch the whole session on the wire. This is the most secure method! Great!
- HTTPS transactions are a lot harder on a server resource-wise thant HTTP transactions, so you will need to start scaling horizontally a lot faster if you have a lot of HTTPS transactions. This gets expensive fast.
- Really old clients still have trouble with SSL transactions due to CPU loading, which can reduce who can use your site.
- Really old browsers have trouble with modern SSL transactions due to protocol support issues, which can reduce who can use your site.
- Certain corporate networks disallow all but a white-list of domains for HTTPS support. They do this because they can't monitor the transactions to ensure company IP isn't leaking, among other reasons. This can reduce who can use your site when at work.
Depending on what you're planning on doing with your site, the above may or may not apply to you. It all depends on how far you plan to scale the site, and what your intended audience is.
This BizTech Magazine article looks like it covers all of the basics. Fundamentally:
HTTPS works in conjunction with another protocol, Secure Sockets Layer (SSL)
It sounds like a tautology but you want to use https when you need to send data securely. This will be anything like payment details, bank statements etc. Anything you don't want 3rd parties reading.
But when security is a must, HTTPS differentiates one sender and receiver from another. SSL takes the data, going or coming, and encrypts it. This means that SSL uses a mathematical algorithm to hide the true meaning of the data. The hope is that this algorithm is so complex it is either impossible or prohibitively difficult to crack.
Any time you are sending private information back and forth. If you don't use HTTPS, information is transmitted in plain text over the internet and is open to sniffing.
this is likely a good place to start: http://en.wikipedia.org/wiki/Transport_Layer_Security
but in short, when you want a secure connection.