: Does SSL really matter for most websites? I've been pretty paranoid about learning to "do security right" for this site I'm building (first non-trivial site I've made), and I've noticed something
I've been pretty paranoid about learning to "do security right" for this site I'm building (first non-trivial site I've made), and I've noticed something that bothers me: SSL.
I've read plenty of security threads here, on StackOverflow, and elsewhere that goes on at length about regenerating session ids after n uses, and how your passwords need to be salted, hashed, and never stored in plain text. I've read plenty about how to detect when a session has been hijacked, by tracking IP addresses, user agents, and by using tracking cookies.
What I don't understand is what any of this matters when the website logs you in via a normal HTTP POST and sends your password over the wire in plain text?
I understand that all the other methods I listed are needed to reduce your overall exposure, and maybe there are some sites that just don't need that much security anyway, but I guess what I'm asking is:
When is it ok to not bother with SSL?
Sites like Gmail, your bank, and LinkedIn, I can see having a reason to use SSL, but what makes it ok that sites like Facebook and reddit don't bother (hell, PlentyOfFish even stores your password in plain text and even emails it to you weekly as a reminder!?!)?
How concerned should I be with making sure SSL is setup (especially since I'd be starting with a shared host, and I'm being pretty cheap to start)? My site won't hold any particularly personal information, if that helps. If the site becomes a success, I'd seriously look at paying the extra for the added security.
More posts by @Candy875
4 Comments
Sorted by latest first Latest Oldest Best
As of August 2014 Google has officially indicated that HTTPS will be used as a ranking signal.
This means that even if your website is a completely static website, if you care about SEO you should at least consider setting up an SSL certificate.
Of course HTTPS is just one ranking signal out of hundreds, so there are probably more important things you can do for SEO.
Here's an angle you may not have considered: not using SSL/TLS can expose your users to passive monitoring even if your site has no logins.
A threat actor may simply sit between your user and the rest of the Internet, watching all the URLs your user requests and building patterns of things your user is viewing. Individual bits of information may indeed be insignificant in isolation, but combining lots of little bits of information can create a much bigger picture.
It is for this reason I offer HTTPS on my own site, which only provides static content.
Taking the opposite approach to John's answer, I think you should seriously consider SSL if you handle any personally-identifiable information - to include: names with physical addresses, e-mail addresses, financial information, and communications which users would reasonably expect to be private.
Unless your site provides a means for users to publish information about themselves, you should consider any personally-identifiable information provided by your users to be held by you and you only under strict confidence unless your site's privacy policy informs your users otherwise.
Prevent unauthorized third parties from seeing your visitors' information and keep your users informed of how you use their information to maintain your visitors' trust.
Even Facebook does this, as far as I
can tell.
<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit=";var d=document.documentElement;if (d.onsubmit) { return d.onsubmit(event); }else { return Event.fire(d, "submit", event); }">
(Facebook.com login HTML source)
It matters as much as you and your users thinks it matters. Sending passwords over http as plain text does leave them vulnerable to packet sniffing. Now whether someone is going to actually bother sniffing those packets is a whole other story. If you want to ensure your users the most secure experience possible, use SSL for their login submissions. If you think your users will be happier and more likely to interact with your website in a positive way (i.e. buy stuff, do stuff, etc) then use SSL for their login submissions. If you have anything worth stealing (i.e. user information) then use SSL.
If you don't have anything worth stealing, don't think SSL will enhance security much or at all, or your users won't see it as a useful feature then you may want to consider not using SSL.
For what it costs to install an SSL cert, unless you are on a shoestring budget, it's never a bad thing to secure a site's login. And don't let what other sites are doing influence you as many larger sites don't necessary follow best practices which is why there's is seemingly a steady stream of news stories about one being compromised in some way.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.