Why not use SSL all the time?
Given how easy it is for an extension such as Firesheep to access people’s data when they’re on a website that doesn’t use SSL, it’s reasonable to ask why sites don’t use SSL for all their pages.
The answer is that, historically, it’s been a matter of computing resources. Encrypting all traffic to and from your server requires far more processing power, and for many sites this extra processing load would require extra hardware resources and hence cost more.
Both server- and client-side computing power has increased so that these days more and more sites are using SSL for all their pages
Also, the visitor’s browser has to do more work when receiving SSL pages, which again is something of an issue for low-powered clients such as mobile phones.
However, over the last few years, both server- and client-side computing power has increased so that these days, more and more sites are using SSL for all their pages.
This includes just about all the significant webmail providers. Hotmail, one of the last holdouts, added SSL support in November.
Surprisingly, many popular sites still don’t, and Facebook is one such, while Amazon is another (although you must re-enter your password before you can actually buy any products or change a shipping address – so an attacker won’t be able to do anything horrible even if they do hijack your Amazon session).
Most sites won’t allow you to do things like change your password until you re-authenticate with them by entering your old password – so once again, a session hijack is somewhat limited in what it can achieve.
Still, someone who impersonates you on Facebook could, for example, download all your contacts and send them messages purporting to come from you; change your details; view all your pictures; and even change your privacy settings without you realising it.
The bottom line is that if the site you’re visiting shows http:// rather than https:// in the address bar, you’re potentially vulnerable.