Just read this article on Google Analytics and the risk of forged certificates, where it said:
Sooner or later it's going to happen; obtaining forged SSL certificates is just too easy to hope otherwise. What can we do about it? Don't load the Google Analytics javascript when your site is accessed via HTTPS. This is easy to do: Just throw a if("http:" == document.location.protocol) around the document.write or s.parentNode.insertBefore code which loads the Google Analytics javascript. On the website for my Tarsnap online backup service I've been doing this for years — not just out of concern for the possibility of forged SSL certificates, but also because I don't want Google to be able to steal my users' passwords either!
The thing is, one of the best things about Google Analytics is the ability to track goals -- getting users to interact with the site in specific ways.
If I turn off this functionality for SSL, it means that many of the goals -- getting them to sign up and getting them to buy things -- are going to necessarily be blocked.
So, I'm torn. Is there any way to continue using Google Analytics for this purpose while maintaining some semblance of security for my website? Is it just an impossible tradeoff of functionality vs. security?