A lot of websites I visit, from Yahoo Mail to various bank and shopping sites have a choice: “Do you want Secure Mode or standard mode?”
I can see picking secure mode. Why would you ever NOT select it? What’s in it for you if don’t go secure?
And what’s in it for them either way? Do they pay extra for the secure connection? Enough to bother with?
Perhaps some browsers aren’t capable of it?
For banking and truly sensitive surfing, like you, I always select ‘secure’. Some logins just aren’t worth the time to load the secure login page. http://login.yahoo.com comes to mind. Its just not a significant security risk to me as I use this login exclusively to view some of my email lists. Apparently, others disagree since the option is there.
Some indeed aren’t. And IIRC correctly, this sort of secure connection will use more bandwidth, which could be an issue for some in the world with really slow connections. There are many places where dial up access incurs a per minute charge. Not all the planet has even local unlimited, flat rate phone service. If what you are downloading has has nothing secure or sensitive, little need for it to be encrypted. Probably most people send and receive their e-mail over unsecure connections. The default for many ISPs is not secure, and some don’t even have a secure option.
You should always choose secure if you can. Like jnglmassiv says, some browsers don’t handle SSL, so they’re leaving a door open. In particular, you might see this on sites that conform to ADA standards because there may be a lot of browsers for the disabled (e.g. screen readers for the blind) that don’t handle SSL.
Offering the option is not a cost-saving method for the server. The secure connection does cost them money because the key certificates cost money if you use a commercial certification authority. But that’s a minor yearly cost and it’s not a per-connection cost, so the site doesn’t save any money if you choose the non-SSL mode. I’m sure they’d rather you choose secure mode because in the unlikely event that some sniffer did steal your data from an unsecured connection, it’s only going to cause headaches/liability/bad PR for them.