PDA

View Full Version : SSL Certificate. Do you need it if you aren't taking info or CC's?



Harold Mansfield
11-30-2010, 04:34 PM
Can anyone give me a clear reason to have a SSL Certficate on your website?
Is it necessary if you aren't taking CC's or storing information?

mattbeck
11-30-2010, 07:52 PM
Nope! Payments and personally identifiable info are the main reasons.

There may be other edge cases, but that covers 99.9% of why you need one.

vangogh
12-01-2010, 12:03 PM
Technically you would only need to use SSL when transferring sensitive data across the web. Generally that means credit card and related contact information, but it could also mean login information or any other information you think should be encrypted. If you're not using SSL then you're sending the information in plain text so anyone who intercepts the data could read the information.

There is some thinking recently that all web pages should use SSL regardless of what's being sent as it could help a lot with a variety of security flaws. It makes sense as there's really no reason not to use SSL over using it, other than having to get a certificate.

You don't actually need to purchase an SSL certificate to have SSL. A certificate can be generated internally on your server, rather easily. What the certificate does is establish trust. Since anyone can set up SSL it means the unscrupulous can also set it up. A certificate will come from one of several places who have been accepted as trusted sources and in giving it to you transferring that trust to you. You may not always need that trust. For example I have a program I use internally that does need to use SSL encryption since it sends sensitive data across the web. However I'm the only person who will ever use the program so I don't need that added level of trust. I generated my own SSL certificate on my server. The first time I went to use SSL with my own certificate my browser offered a popup telling me it couldn't verify the certificate and asking if I trusted it. I do trust myself so I replied yes. The encryption is exactly the same as it would be had I purchases a certificate.

J from Michigan
12-27-2010, 04:11 PM
I have one on mine, and I don't take credit cards (yet.)

Being a novice, I liked the idea of having that little added sense of security... and none of my competitors have one, so I figured "why not?"

Evan
12-27-2010, 09:18 PM
The first time I went to use SSL with my own certificate my browser offered a popup telling me it couldn't verify the certificate and asking if I trusted it. I do trust myself so I replied yes. The encryption is exactly the same as it would be had I purchases a certificate.

This is the problem with generating your own SSL certificate for the "general public", as they will also see the page and not know whether to trust it. They are likely to NOT accept it, which could adversely affect your business. For non-critical things, it's probably fine. But purchasing one is probably good for credit card data, just so it's a name people recognize.

vangogh
12-28-2010, 11:39 AM
Exactly. If the security is for the general public then you want to get a security certificate from one of the trusted providers. Getting the certificate from the trusted provider doesn't make things any more secure, but it does verify you're who you say your are lending trust to the whole process. In the case I described above it's only me who'll ever visit the pages in question and I don't need a certificate from a trusted source to decide whether or not to trust myself.

I stil suggest that everyone buys a certificate for their ecommerce sites. However if you only need the security for pages that only you or those working for you are going to access you could save the money and set up a self generated certificate. It depends on what pages of your site need to be secure and who's going to be accessing those pages.

Paper Shredder Clay
01-03-2011, 12:52 PM
While originally it was used only for Financial institutions now more and more web services are going to SSL. GMAIL and Yahoo email all use SSL now. Although, I think that is because of alot of people checking their email on cell phones.

jimr451
01-04-2011, 06:46 AM
If you aren't taking personal info, or credit cards, there's not much of a benefit to SSL. It will encrypt the data between you and the browser, and actually that encryption adds some overhead to the server (probably not noticeable, but may slow your site down slightly).

I'm wondering how many users actually *notice* the security indicators anymore. I really think most people would even submit their credit cards without checking to see if it's a secure connection.

-Jim

vangogh
01-04-2011, 11:04 AM
Jim I would say you're right about people not noticing if the connect went over regular http. If you use a self signed certificate and your browser will likely pop up the message about not trusting the site in question, which I think would keep people from sending the information. Ironically the 2nd site with the self signed certificate is probably the more secure one since at least it used SSL.

You're probably right that most people don't notice it, but I bet there are those who do and you'd most likely lose sales to this latter group. You might also regret later not securing the information since it would mean putting your customers at greater risk of having their information stolen. Sooner or later that would become public and then it's bye bye business.

RyanSmith
09-25-2012, 06:50 PM
This is the problem with generating your own SSL certificate for the "general public", as they will also see the page and not know whether to trust it. They are likely to NOT accept it, which could adversely affect your business. For non-critical things, it's probably fine. But purchasing one is probably good for credit card data, just so it's a name people recognize.

Exactly.

Even if you're not taking CCs ... it is completely a trust issue. People trust the green bar!

The security bonus (even if no public info moves back and forth on your site) is if you're running a CMS, there's a small benefit to having your logins be secure.

Pack-Secure
09-25-2012, 08:14 PM
I don't look for the SSL. I look for the https on the site when I enter my information.