Do you need SSL?

Is the web site really secure with SSL?

1. The server is attacked directly.  SSL does not protect you from this.  Rather, you need to have a good IT security policy to protect your server.
2. The user is attacked directly, either by infecting their PC with malware, or by using “phishing” to steal their passwords.  SSL does not protect you from this, either.  To protect your own PC from this, you need to use a good anti-virus program, and use lots of common sense and a small amount of paranoia when on the Internet.  However, it is unrealistic to expect that all the PCs of all of your website visitors will be adequately protected.

In that case, when is SSL important to have?

If you are transmitting sensitive private data over the internet, SSL is an important additional security layer.  Although eavesdropping may be a less common form of attack, there is no reason not to protect against it if the consequences are serious.

What kind of “sensitive private data” needs protection?

Private data is information that should only be known to you (the website owner) and the user.  The most obvious example is credit card numbers.  If you outsource your credit card processing to an external e-commerce gateway, the transactions are protected by your e-commerce provider’s SSL.  Adding SSL on your website is not necessary.

Passwords may also be sensitive if they access private data or functions, such as bank account statements, email inboxes, and so on.  Passwords that merely access a members-only area are less sensitive, because these resources are shared and not truly private.

Note that personal information such as names, email addresses, phone numbers, and mailing addresses are not private.  This is information that is meant to be shared with others.  SSL does not really protect information that is already publicly available in more accessible formats such as the phone book.

(However, you do need a good privacy policy when storing and using people’s personal information, to assure your users why you need their personal information, and what you intend to use it for.  This is mostly because some organizations have a history of selling their databases of personal information against the wishes of their clients.  SSL does not help with this, however.)

There is a grey zone between private data (which should be known only to you and the user), and personal data (which is known and used by many others).  Individual pieces of personal data may not be a big deal, but if you collect enough personal data, identity theft may become a plausible threat.  Special account or identity numbers (SSN, SIN, drivers license, health care, or passport numbers for example), along with birth dates, common security questions (eg. mother’s maiden name, names of family members), and information of that nature may collectively comprise an identity that could be stolen for nefarious purposes.  The more of this sort of information you collect, the more SSL might be a worthwhile addition to your security policy.

I don’t store lots of personal data, my private members’ area is not especially sensitive, and I outsource credit card processing to a secure e-commerce provider.  Is there any other reason why I might want SSL?

Not everybody knows what SSL protects or how it works.  All they know is that the little padlock icon is “good”.  If your users are pestering you because you don’t have the padlock icon, then it may be easier just to get SSL than to try to explain all the security nuances of why it won’t help them in this case.

Web browsers often throw up security dialogs when you move between SSL web pages and regular web pages.  These dialogs are meant to be a more obvious variant of the padlock icon–to advise the user when their communications are encrypted and when they are not.  They may pop up, for instance, when you finish paying at an e-commerce page, and are then redirected back to your website to get your receipt.  However, dialog boxes sometimes seem like error messages to inexperienced users, who may attempt to cancel or reverse the operation they started.  If this causes problems for you on your website, you may want to consider adding SSL just to prevent these dialog boxes from appearing.

In both of these cases, it is important to understand that SSL is not really protecting your website communications.  Rather, it only being used to smooth over user interface and security issues that your users may not adequately understand.

One extra useful thing that SSL allows for is verifying that the website owner is really who they claim to be.  If you are at risk of being spoofed by phishers, or otherwise need to be able to prove to your visitors that you really are who you claim to be, then SSL can help users confirm your identity by clicking on the padlock icon to get more information about you.

I probably don’t need SSL, but it might be best to get it just to be safe.  Is there any downside to using SSL when you don’t need it?

Yes.  SSL is slower because every single byte of information needs to be encrypted and decrypted by both the user and the webserver, and this takes significantly more effort than simply transmitting in the clear.  SSL not only encrypts information typed into forms by users, but also the text of web pages, style sheets, scripts, images, and videos.  Most of this does not need to be encrypted, but it gets encrypted anyway (otherwise the browser will complain that the secure page contains insecure elements).  If you use SSL on a website that doesn’t need it, every user will pay a price in speed, and your website will “max out” on its performance sooner because much of that performance is being diverted to encryption.

SSL also creates an administrative burden, because the certificates cost money, require paperwork and verification by a third party, and need to be renewed, just like domain names.  They also require private IP addresses, which may incur an extra cost if you do not already have a private server.