Do you need SSL?
SSL (Secure Sockets Layer) is a technology to encrypt communications between the user and the web server. It helps to prevent hacker attacks that are based on eavesdropping. When you use a web page that is protected by SSL, you see a padlock icon that assures you that the page is secure.
Is the web site really secure with SSL?
No. SSL secures the network communication link only. Although this is an important security layer for sensitive applications, most attacks on websites are not actually done this way. Most attacks on websites are actually done in one of the following ways:
- The server is attacked directly. SSL does not protect you from this. Rather, you need to have a good IT security policy to protect your server.
- The user is attacked directly, either by infecting their PC with malware, or by using "phishing" to steal their passwords. SSL does not protect you from this, either. To protect your own PC from this, you need to use a good anti-virus program, and use lots of common sense and a small amount of paranoia when on the Internet. However, it is unrealistic to expect that all the PCs of all of your website visitors will be adequately protected.
In other words, SSL does very little to prevent the website from being hacked. It only prevents 3rd parties from listening to communications between the user and the website.
In that case, when is SSL important to have?
If you are transmitting sensitive private data over the internet, SSL is an important additional security layer. Although eavesdropping may be a less common form of attack on the website, there is no reason not to protect against it if the consequences are serious.
Although the risk to the website may not be that great, the risk to individual users may be significant in some cases. For instance, any user accessing your website from a public wifi connection (such as at a coffee shop) can be eavesdropped on fairly easily by other users at the same location. Eavesdroppers can see what is typed into forms on non-SSL sites, so the risks will depend on what sorts of forms you have.
The most obvious high-risk form is your login form, which asks for username and password. An eavesdropper can potentially obtain these login credentials and then log in as that user. How risky or dangerous that is depends on what personal information the eavesdropper can obtain, or what harm they can cause with this information. Even if the risk is low with regards to your website, you should also consider that some users will re-use passwords on many websites, so the risk may extend to sites and situations that are beyond your control.
What kind of "sensitive private data" needs protection?Private data is information that should only be known to you (the website owner) and the user. The most obvious example is credit card numbers. If you outsource your credit card processing to an external e-commerce gateway, the transactions are protected by your e-commerce provider's SSL. Adding SSL on your website is not necessary in this case.
Passwords are the next most obvious thing to protect, as noted above. If you do not have a membership or public user base, then your own personal admin passwords may be the only ones you need to think about. If you do not do website administration from public wifi networks, then this is not a major concern.
Note that personal information such as names, email addresses, phone numbers, and mailing addresses are not private. This is information that is meant to be shared with others. SSL does not really protect information that is already publicly available in more accessible formats such as the phone book.
There is a grey zone between private data (which should be known only to you and the user), and personal data (which is known and used by many others). Individual pieces of personal data may not be a big deal, but if you collect enough personal data, identity theft may become a plausible threat. Special account or identity numbers (SSN, SIN, drivers license, health care, or passport numbers for example), along with birth dates, common security questions (eg. mother's maiden name, names of family members), and information of that nature may collectively comprise an identity that could be stolen for nefarious purposes. The more of this sort of information you collect, the more SSL might be a worthwhile addition to your security policy.
I don't store lots of personal data, my private members' area is not especially sensitive, and I outsource credit card processing to a secure e-commerce provider. Is there any other reason why I might want SSL?Not everybody knows what SSL protects or how it works. All they know is that the little padlock icon is "good". If your users are pestering you because you don't have the padlock icon, then it may be easier just to get SSL than to try to explain all the security nuances of why it won't help them in this case.
Web browsers often throw up security dialogs when you move between SSL web pages and regular web pages. These dialogs are meant to be a more obvious variant of the padlock icon--to advise the user when their communications are encrypted and when they are not. They may pop up, for instance, when you finish paying at an e-commerce page, and are then redirected back to your website to get your receipt. However, dialog boxes sometimes seem like error messages to inexperienced users, who may attempt to cancel or reverse the operation they started. If this causes problems for you on your website, you may want to consider adding SSL just to prevent these dialog boxes from appearing.
In both of these cases, it is important to understand that SSL is not really doing much to protect your website. Rather, it only being used to smooth over user interface and security issues that your users may not adequately understand, and reassure your users that you do consider their security and privacy to be important.
One extra useful thing that SSL allows for is verifying that the website owner is really who they claim to be. If you are at risk of being spoofed by phishers, or otherwise need to be able to prove to your visitors that you really are who you claim to be, then SSL can help users confirm your identity by clicking on the padlock icon to get more information about you.
I probably don't need SSL, but it might be best to get it just to be safe. Is there any downside to using SSL when you don't need it?Yes. SSL is slower because every single byte of information needs to be encrypted and decrypted by both the user and the webserver, and this takes significantly more effort than simply transmitting in the clear. SSL not only encrypts information typed into forms by users, but also the text of web pages, style sheets, scripts, images, and videos. Most of this does not need to be encrypted, but it gets encrypted anyway (otherwise the browser will complain that the secure page contains insecure elements). If you use SSL on a website that doesn't need it, every user will pay a price in speed, and your website will "max out" on its performance sooner because much of that performance is being diverted to encryption.
SSL also creates an administrative burden, because the certificates cost money, require paperwork and verification by a third party, and need to be renewed, just like domain names. If you neglect to renew your SSL certificate, your website will be red-flagged as insecure, which looks even worse than simply not having SSL.
SSL also require private IP addresses, which may incur an extra cost if you do not already have a private server.
If you run your entire site under SSL, then you will get security warnings that may concern your users if you link to non-SSL content, including badges and plugins from 3rd parties and social media sites.
If you need a secure function on your website, but do not want to put up with the above issues, note that some ISPs will provide a multipurpose security certificate for their hosted clients to make use of. However, these multipurpose security certificates will not be on your domain name. For example, your website might be called "http://www.MySuperWebsite.com", but the secure area that your ISP gives to you will be called something else like "http://secure.AcmeISP.com/MySuperWebsite".