Should I use SSL only on my admin subdomain?

Question

I have a site at mydomain.com. Users can sign up there to create a simple little site of their own that gets automatically created and can then be found at mydomain.com/name-user-chose

There is an admin section of the site that users can log in to to create and manage their pages.

I want to enable SSL on the site for the log in functionality and because the back end admin section uses Stripe to handle payments. I'm wondering what the best way to handle SSL is in this type of set up. All of the user created pages won't need SSL, nor will the homepage, just the admin section.

That leads me to think that perhaps the best way to handle it is set up a subdomain, perhaps admin.mydomain.com and only use SSL on that subdomain. Handle all of the user login throught that subdomain as well. And leave mydomain.com and all of the user pages (for instance: mydomain.com/this-is-an-example) as regualar http pages and not SSL.

Would that represent best practices? I know just enough that I know how to implement everything above, but I don't know enough to know whether or not it would be the best way to do things.

Enabling TLS would be [much better than](http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability) enabling SSL. — , Jun 19 '15 at 20:15
What is your concern with using TLS/SSL across the entire website? — amccormack, Jun 19 '15 at 21:29
get a wild card cert and do `name-user-chose.example.com` and `name-user-chose.example.com/admin` or `example.com/admin/name-user-chose` ... *all under TLS*. no reason to not use TLS for everything unless your country has some funny laws. — Skaperen, Jun 20 '15 at 09:04

score 1 · Answer 1 · edited Oct 07 '21 at 07:59

This old question popped on the front page and the answer today is clear because...

free Let's Encrypt certificates (even wildcard certificates using DNS-01 challenge)
Mozilla has announced Deprecating Non-Secure HTTP (25 Apr 2015 was before this question!)
Chrome has been Marking HTTP As Non-Secure, all since July 2018 (Phase 3, Chrome 68)

The current best practice is to use TLS for every page & enforce it with HSTS.

...and disable SSL2, SSL3, TLS 1.0 & TLS 1.1 as they are deprecated, too.

score 0 · Answer 2 · edited Mar 17 '17 at 10:46

0

It is better to support TLS on the whole site, but it is probably more expensive to get certificate. While securing just admin.domain.com, some cheap certificates for 1 name will be enough. While securing the whole site, you will need domain.com and admin.domain.com in the certificate.

Edit: I have found what is the best for this - StartSSL, as listed in Where to get an SSL certificate for personal website?. It is for free.

edited Mar 17 '17 at 10:46

Community

1

answered Jun 20 '15 at 08:28

Vilican

2,703
8
21
35

1

the whole site and many users could be put under one simple cert ... but just not look as hip. – Skaperen Jun 20 '15 at 09:06
You do not need to use admin.domain.com. You can easily use domain.com/admin. 1 single cert will work in this case. – limbenjamin Jun 23 '15 at 13:24

Should I use SSL only on my admin subdomain?

2 Answers2