I have written a couple post on SSL:
- No SSL on Azure WebSites (maybe in May 2013?), and shy SSL deployments are so hard
- Interesting SSL challenge between Dev/QA and production
- Trustworthy Internet Movement and SSL Pulse
- Blogger in HTTP only? What happened to HTTPS?
- HSTS in TeamMentor
- Etsy.com - A case study on how to do security right?
Namely the fact that:
- SSL requires Development and Infrastructure to work together,
- It adds more complexity to the deployment (note how the Azure team is taking a long time to add support for it)
- It is still a pain to add SSL support to existing web servers
- Management of keys is hard
- It is another source of bugs (for an application).
- There are a lot of people (and organizations) that really don’t want SSL-everywhere to happen