Their content pages don't (they are entirely static) but their order form stuff does, obviously.

HTTPS end to end isn't really worth it for some things.

> HTTPS end to end isn't really worth it for some things.

Don't agree. Serving HTTPS is cheap now, and it's easier just to put _everything_ on SSL and avoid the mental effort of deciding what goes where.

Ah, but part of their argument is that it is always worth it so that when it is worth it, that content doesn't stand out. So, by their own argument, they should enable https even for the static content pages.

Not that it's particularly expensive either. A single domain cert can be found for a few bucks, a wildcard for under 100.

Most of the cost for a high-traffic website is processing requests over SSL, not the price of the cert.

Really? SSL is dirt cheap to compute these days. Google saw a 1% increase in CPU usage when they made SSL mandatory for Gmail.

http://highscalability.com/blog/2011/2/10/dispelling-the-new...

https://www.imperialviolet.org/2010/06/25/overclocking-ssl.h...

it depends on the cipher and your software, I had tremendous trouble with some free php forum stuff recently when it curled things with PFS.

AES is implemented in hardware now. RSA is cheap to compute; SHA1 is not even a factor. If you want forward secrecy, DON'T use DHE, use ECDHE; plain DHE is expensive.

To be fair nearly all PHP forum software is crap.