However, that is not a very satisfactory solution not least because running your site over https is noticeably slower than http.  Typically, you will want the Joomla administrator to run over https, and the front-end website to run over http - perhaps switching to https when a user logs in.  Joomla 1.0.x versions do not support this behaviour natively - to get it working, it is necessary to make some small hacks to certain Joomla files... (ed: Joomla 1.0.12 now ostensibly supports https, although it will not switch automatically between http and https on login, and in our experience, it tends to revert the 'live site' setting back to http before it gets to the template, thus not serving everything over https).

Always make sure you are running the latest stable version of Joomla.  Back everything up before you start!

Disclaimer: The following hacks work for me, but are not guaranteed to work on every server configuration or Joomla installation. Use of these hacks is entirely at your own risk! 

To make sure the Joomla administrator always runs over https...

In administrator/index.php, immediately after the line that says

define( '_VALID_MOS', 1);

Add the following:

//Redirect to https if accessed over http (except when running locally) if ($_SERVER['SERVER_NAME'] != "localhost")
{
  $port = $_SERVER["SERVER_PORT"];
  $ssl_port = "443";  //Change 443 to whatever port you use for https (443 is the default and will work in most cases) 
  if ($port != $ssl_port)  
  {
    $host = $_SERVER["HTTP_HOST"];
    $uri = $_SERVER["REQUEST_URI"];
    header("Location: https://$host$uri");
  }
}

Also add the above code to /administrator/index2.php - immediately after the require_once directives near the start. 

This forces the administrator to always use https. However, if you are using IE and find that it keeps warning you about insecure items on the page, you will have to add the code from part 1 to the end of your configuration.php file instead.  Note however, that the code you add there will be lost whenever you save the 'Global Configuration' page in Joomla (so you will either have to re-add it after saving, or preferably make changes directly in configuration.php instead of using the Joomla 'Global Configuration' screen).

To enable the front-end to support https...

Since 1.0.12, we have found it necessary to add the following to the start of the template's index.php file (not the main Joomla index.php):

<?php
global $mosConfig_live_site;
if ($_SERVER['SERVER_PORT'] == 443)
{
  $mosConfig_live_site = str_replace("http://", "https://", $mosConfig_live_site);
}
?> 

Note: The following hack is not necessary as of 1.0.13: 

In order to avoid problems with session cookies while switching from http to https, you will need to edit a line in the includes/joomla.php file.  Find the line (round about line 904) that says:

return md5( 'site' . $mainframe->getCfg( 'live_site' ) ); 

...and replace it with the following:

if (strpos($mainframe->getCfg('live_site'), 'http://localhost') !== false) {return md5( 'site' . $mainframe->getCfg( 'live_site' ) );} else {return md5( 'site' . str_replace("http://", "", str_replace("https://", "", $mainframe->getCfg( 'live_site' ))) );}

These hacks enable Joomla to be able to handle both http and https.  They do not however cause your site to automatically switch to https.  There are 2 ways to acheive this:

1) Instead of using the login module, use the login component, and link to it from a menu item of type URL - specifying https in the URL.  For example, you could create a menu item that points to https://www.yourdomain.com/index.php?option=com_login - that way the entire login process is handled using https.

2) If you want to keep the login module, the login form itself will not be shown over https, however by making the following alterations, the login submission is still protected as the form will be submitted over https when the user clicks on login. In other words, it is just as secure as using option 1, but the user will not see a padlock icon until after they have logged in.

In either case, you need to make a small amendment to the login form.  If you are using option 1, the form to be altered is in the components/com_login/login.html.php file.  If using option 2, it is in modules/mod_login.php.  There is nothing stopping you using both methods, in which case you will need to alter both files.

In modules/mod_login.php, look for the line that says:

<form action="<?php echo sefRelToAbs( 'index.php' ); ?>" method="post" name="login" >

Make sure you get the login one, not the logout one (ie. make sure it 'index.php', not 'index.php?option=logout' in the middle bit).  Replace that line with the following:

<form action="<?php echo strpos($mosConfig_live_site, 'http://localhost') !== false ? sefRelToAbs( 'index.php' ) : sefRelToAbs( str_replace('http://', 'https://', $mosConfig_live_site) . '/index.php' ); ?>" method="post" name="login" >

NOTE: If using the login module, you will also need to go into the module parameters (login to Joomla administrator, go to Modules->Site Modules, and click on the login form), and set the login url to the https:// version of the page you want users to be directed to when they log in. If you don't do this, IE will might you a nasty warning message when you try to log in, and you could be redirected back to http. 

You can also optionally redirect to http when the user logs out by setting the logout url in the module parameters. However, IE will display a warning when redirecting to http like that. To get the site back to http when logging out without the pesky warning in IE, you need to change the logout form as well.  Look for the line (nearer the start of modules/mod_login.php) that says:

<form action="<?php echo sefRelToAbs( 'index.php?option=logout' ); ?>" method="post" name="logout">

Make sure you get the one that says 'index.php?option=logout' in the middle.  Replace it with:

<form action="<?php echo sefRelToAbs( str_replace('https://', 'http://', $mosConfig_live_site) . '/index.php?option=logout' ); ?>" method="post" name="logout">

Unfortunately, having made that change, Firefox will now give a warning when you logout.  As IE is still the most popular browser though (which is also unfortunate!), the above change is probably best.

To update the login component, go to components/com_login/login.html.php, find the line (quite near the start) that says:

<form action="<?php echo sefRelToAbs( 'index.php?option=login' ); ?>" method="post" name="login" id="login">

Replace it with:

<form action="<?php global $mosConfig_live_site; echo strpos($mosConfig_live_site, 'http://localhost') !== false ? sefRelToAbs( 'index.php?option=login' ) : sefRelToAbs( str_replace('http://', 'https://', $mosConfig_live_site) . '/index.php?option=login' ); ?>" method="post" name="login" id="login">

If you want to revert back to http when they log out, scroll down to the logoutpage function (near the end of the file), and find the line that says:

<form action="<?php echo sefRelToAbs( 'index.php?option=logout' ); ?>" method="post" name="login" id="login">

Replace it with:

<form action="<?php global $mosConfig_live_site; echo sefRelToAbs( str_replace('https://', 'http://', $mosConfig_live_site) . '/index.php?option=logout' ); ?>" method="post" name="login" id="login">

The next major release of Joomla (version 1.5) will apparently have full https support without any hacks being necessary!