Yes SSL is important for security. Professional sites should at the very least require SSL for login, registration, user profile , and any other pages that contain sensitive data. Its an absolute must have for e-commerce sites.

However, those running blogs or other sites where the data is not so sensitive have to weigh the cost of the SSL certificate against the possible consequences of a breach and may find that they can live with the risk. For example, if you don't have SSL, it is possible that someone with access to an upstream router can sniff packets while you are logging in and steal your password. Obviously, if the site contains sensitive data this is very very bad, but if the site is just a blog, the only real possibility for damage is that the person who steals your password can deface your site. The odds of this actually happening to your blog seem kind of slim to me and the consequences are not catastrophic or expensive, just very annoying. Its a big internet out there with lots of sites and it seems unlikely that someone (who has access to an upstream router) is waiting around for you to login to your blog while sniffing packets until you do. I would say that whether or not you do use SSL, you should be careful and not ever use the same password for your blog as for your online banking.

I recently upgraded the SSL certificate on this site from a self signed one to a certificate from RapidSSL.Com, the prices were very reasonable, much more economical than I expected. If you use the free 30 day trial certificate, you get an even better price because of their upgrade special. (Thanks to Aaron King for pointing me to RapidSSL recently when I was inquiring about a signed certificate)

In mojoPortal, there is a web.config setting SSLIsAvailable, if set to true, mojoPortal will always use SSL for login, registration, password recovery, user profile, etc. In addition, when this is set to true a setting will show up in the Pages Settings fro each page to allow requiring SSL on a page by page basis. There is also a setting in Site Settings to require SSL for all pages in the site without having to specify it on each page.

Joe

Hi,

Before you set SSLIsAvailable to true you should test against a static file using https to make sure it works like https://yoursite/Error.htm is an example of a static file you could test on.

Once an SSL certificate is installed on the server, it still has to be installed in the IIS web site using a specific ip address and it may also need a host header for port 443 to resolve the domain name if the ip address is shared with other sites. Do some googling for more info about configuring an ssl certificate in IIS.

Once it works with the static file using https then you can enable it in config.

Hope it helps,

Joe