Rich Fife <rfife@amug.org> writes:

[...]

> Do you send an unencrypted HTTP header and then pop over to SSL
> immediately afterwards? When do you do the SSL handshaking? Before
> or after you send the header?

Start straight off with SSL/TLS. (I believe there's a proposal for an
HTTP startTLS, but I don't think it's caught on.)