HTTPSのみになぜ切り替えないのか、当然のことだがまとまってるのでメモ。

With the session-sidejacking issue highlighted once more by Firesheep, a many people have asked me why more websites, or at least the major players (Google, Facebook, Amazon, etc.) have not enabled SSL by default for all communication. Indeed, encryption is the only way to ensure that user sessions cannot be easily sniffed on a open wireless network.
This sounds easy - just add an s after http in the URL! It's not actually that easy. Here are some of the challenges.

Why The Web Has Not Switched To SSL-only Yet? | Zscaler Blog