How important is an SSL certificate for a website?

Question

I'm bootstrapping my own project, it has a registration/login area (via devise with RoR, properly hashed and salted of course). As I'm using subdomains and I need to access them with iframes (it's justified, really!) I'd need one of those expensive certificates that cover subdomains.

As I'm doing this out of my own time and money, so I'm hesitant to drop a couple of hundreds on a certificate, plus a couple of hours delving into something I haven't tried before. I'm not storing any sensitive information besides the email address and the password. As far as I understand, the only vulnerability happens when a user logs or signs up from an unencrypted network (such as a coffee shop) and someone is listening the network.

Am I being cheap? Is this something I should tackle before releasing into the wild. I probably should mention I have 25,000 users signed up to be notified when I launch, so I'm nervous about it.

why do you need to spend hundreds of $$ on certificates. Why not buy the cheaper certificates? I brought a cheap one for £15/year for one of my sites. — Darknight, Jul 18 '12 at 09:12
Because he needs a wildcard certificate to cover his sub-domains. — pritaeas, Jul 18 '12 at 09:22
But are the subdomains really necessary? Is it possible to put some kind of (secure) proxy in front of them all to make it look like a single site? — Donal Fellows, Jul 18 '12 at 11:36
If you have 25,000 users waiting for your launch, then spending some hundreds of dollars should not be a problem. — marco-fiset, Jul 18 '12 at 12:23
Plus its all a matter of cost vs user experience. When you get "This site isn't certified" you already lost 70% or more of traffic. If its a profitable venture, pay whatever it costs to assure the users. — Rig, Jul 18 '12 at 12:55
Get a $20 certificate and stuff all the account stuff on secure.yourdomain.com. — Brian, Jul 18 '12 at 13:12
Despite a lot of the answers and comments, a Signed SSL certificate is an essential part of securing the data on your website. Anything the user sees or submits can be spied on if you don't have one, regardless of where they connect from. — CLo, Jul 18 '12 at 14:56
You aren't being cheap. Because [you can get SSL for free](http://www.startssl.com/?app=1) — Ryan Kinal, Jul 18 '12 at 17:20
@RyanKinal Uhh... those actually work and validate correctly on standard browsers? I would of thought any CA that offered certs for free would have its signing key blacklisted — TheLQ, Jul 18 '12 at 18:24
Second problem; if a logged in user is browsing on an open network with no SSL others can grab the cookies then take over their session. Proof: http://codebutler.com/firesheep/ — James, Apr 02 '13 at 13:11

score 25 · Answer 1 · answered Jul 18 '12 at 08:47

25

I'd buy one. The cost of the certificate is not that big considered the level of trust it provides to the users. Think of it as an investment. If your applications don't seem to be secure (and properly signed SSL certificates give assumption that a website is secure) people may lose interest in using your future products.

answered Jul 18 '12 at 08:47

Andrzej Bobak

1,276
1
13
21

1

overall SSL is a 'feel good' for non-tech folks – Jakub Jul 18 '12 at 14:08
and on the other side: no SSL is a 'feel very bad and suspicious' for the typical user – Andrzej Bobak Jul 18 '12 at 14:11
Only signed certificates can provide trust. It's possible to still have data stolen without a signed certificate. Man in the middle attacks still work by providing a false certificate to the client. – CLo Jul 18 '12 at 14:54
Thanks for the pointers, the general consensus seems to point that an SSL is not something I should skim on. I've installed a free certificate from StartSSL and will buy the wildcard one when I actually launch https://method.ac – methodofaction Jul 18 '12 at 17:53

score 7 · Accepted Answer · answered Apr 16 '18 at 22:03

In the time since this question was asked, a lot has changed. Does your site need HTTPS? YES!

Certificates with domain validation are free from many providers, e.g. Let's Encrypt. These certificates are just as good as those for which you pay money. Thanks to server name identification, it is not necessary to own an IP address.
Browsers are increasingly marking non-HTTPS pages as insecure, rather than neutral. Having your site marked as insecure doesn't look good.
Modern web technologies require encryption. Whether it's Chrome's policy of only enabling new features for HTTPS sites, Google's preferred ranking for HTTPS sites, or encrypted HTTP/2 being faster than plaintext HTTP/1.1, you are leaving opportunities on the table. Yes, encryption does add load to your servers, but this is unnoticeable for most sites – and particularly unnoticeable to users.
Privacy is more important than ever. Whether it's ISPs selling your clickstream or secret services sifting through all your connections, there's no good reason to leave any communication publicly visible. Use HTTPS by default, and only use HTTP if you're sure any transmitted information can safely be public, and may be tampered with.

Note that passwords must not be transmitted over plaintext connections.

Under some regulations such as the EU-GDPR, you are required to implement state of the art security measures, which would generally include HTTPS for websites.

There are a couple of non-solutions:

“Use OAuth instead of passwords” misses the point that there still are password-like tokens involved. At the very least, your users will have a session cookie that must be protected, as it serves as a temporary password.
Self-signed certificates are rejected by browsers. It is possible to add an exception, but most users will not be able to do that. Note that presenting a self-signed cert is indistinguishable to the user from a MITM attack using an invalid cert.

So: Certificates are free and HTTPS can make your site faster. There is no longer any valid excuse. Next steps: read this guide on migrating to HTTPS.

I agree that the trend nowadays is to https your site, even if you're not handling user registration and such, because of the benefits you mention. I'm selecting this as the correct answer. — methodofaction, Apr 17 '18 at 07:48
As an addition: HTTPS doesn't only bring privacy, but also integrity. Due to the encryption you can also be sure that the data the user received actually is the one which was sent and wasn't modified by somebody on the way — johannes, Apr 17 '18 at 10:39

score 5 · Answer 3 · answered Jul 18 '12 at 11:47

If you are "only" gathering e-mails and passwords you maybe want to try creating your own certificate OpenSSL (http://www.openssl.org/) before committing any funds.

But...

This is just something you can do to "try things out" because website users will get a warring as this will not be a recognized/accepted certificate.

My advise is to invest in SSL, simply because email and passwords are a very sensitive private data that can lead to other kind of exposures (say I use the same pass for my email account - if this info leaks out, then all e-mail data is exposed, including CC data, any and all access info I have for other online services and god knows what else...)

We need a secure and trustworthy WEB and few dozen bucks is a small price to pay for user security. (even as basic as SSL)

CLo · Answer 4 · 2012-07-18T14:46:56.000

Security Concerns

As far as I understand, the only vulnerability happens when a user logs or signs up from an unencrypted network (such as a coffee shop) and someone is listening the network.

This is not true, data transmitted between the user and your website is never safe. Just as an example, http://www.pcmag.com/article2/0,2817,2406837,00.asp details the story of a virus that changed people's DNS settings. No matter how good your current network is protected, any submission on the internet goes through many different servers before it gets to yours. Any one of them can be malicious.

SSL certificates allow you to encrypt your data in a one way encryption that can only be decrypted at your server. So no matter where the data hops on it's way to your server, no one else can read the data.

In most cases, and this depends on your hosting, installation of a certificate is rather painless. Most providers will install it for you.

SSL Cert Types

As noted in some answers, you can create your own SSL certificates. An SSL certificate is just a public and private key pairing. Your server gives out the public key, the client uses it to encrypt the data it's sending, and only the private key on your server can decrypt it. OpenSSL is a good tool for creating your own.

Signed SSL Certificates

Purchasing a certificate from a certificate authority adds another level of security and trust. Again, it's possible that someone can sit in between the client browser and you web server. They would simply need to give the client their own public key, decrypt the info with their private key, re-encrypt it with your public key and pass it on to you and neither the user nor you would know.

When a Signed Certificate is received by the user, their browser will connect to the authentication provider (Verisign, etc.) to validate that the public key they received is in fact the one for your website and that there has been no tampering.

So, yes you should have a Signed SSL certificate for you site. It makes you look more professional, gives your users more piece of mind in using your site, and most importantly protects you against data theft.

More info on the Man In The Middle attack that is the core of the issue here. http://en.wikipedia.org/wiki/Man-in-the-middle_attack

jmoreno · Answer 5 · 2012-07-19T05:46:05.873

Passworrds should be treated as personal information -- frankly given password reuse, it is probably more sensitive than a SSN.

Given that and your description, I wonder why you are storing a password at all...

I would use OpenID and if you feel the need to have your own login, create a single subdomain for that, and use OpenID everwhere else.

If you won't do OpenID, you can still use the same login.yourdomain pattern to keep from needing a wildcard certificate, but like I said, in todays world passwords are at least as sensitive as SSN/birthday, don't collect it if you don't have to.

Yusubov · Answer 6 · 2012-07-29T04:33:12.213

It would be wise to buy one. As mentioned, it is ALL about end user trust to your website.

so I'm hesitant to drop a couple of hundreds on a certificate - well it is not expensive and you may get one under $50.

SSL - is really important to secure your site and add a level of confidence to the visitors in your site. In regards to the login process, why NOT to use OAuth ? This feature will skip the user hassle to spend time in registration for your website. Website user traffic will really benefit from that. Seriously!, find some time to research it.

A good reference on common SSL questions - All about SSL Certificates

score 1 · Answer 7 · answered Jul 19 '12 at 00:12

1

RapidSSL through Trustico is only $30 or you can get a RapidSSL wildcard for less than $160 - they also have a price guarantee, so if you find it cheaper they'll match it.

answered Jul 19 '12 at 00:12

Clint

19
1

score 1 · Answer 8 · answered Jul 19 '12 at 03:08

1

If you have a unique IP, you might as well get a certificate, particularly if you deal with any data that is even remotely sensitive. Since you can get free trusted certificates from StartSSL, there's really no reason for not having one.

answered Jul 19 '12 at 03:08

tylerl

4,850
21
32

Florian Margaine · Answer 9 · 2012-07-18T14:19:11.290

-1

An SSL has drawbacks. It slows down your website. Really.

The only reason why people are using SSL certificates is when there is the customers' money involved.

If you are not involving your customers' money, the decision to take an SSL certificate is purely business oriented.

If you're having a backend for your customers, with no money involved on the website, but they need to be sure that they're secure, then sure take a certificate. It's an investment for your customers' trust.

edited Jul 18 '12 at 14:19

answered Jul 18 '12 at 12:52

Florian Margaine

6,791
3
33
46

4

-1 : You must ALWAYS use an SSL certificate when your users submit sensitive data like passwords for registration and login. Not just when money is involved. – marco-fiset Jul 18 '12 at 13:27
2

I disagree. From a business point of view, it is clearly not needed. Only buy an SSL certificate if, as said in the answer, you're involving the customers' money. – Florian Margaine Jul 18 '12 at 13:32
@marco-fiset: `s/ALWAYS/usually/`; for a rinky-dink blog or something it might not be worth it (and you might not even be able to get SSL support), but for a professional corporate site it's a must. Even when there's no money changing hands. @Florian: If someone manages to get a hold of that password the user used to log in, or a bunch of their personal info, then you are the one responsible. If they get their identity stolen because of it, and it's shown that you didn't treat that data with the care it deserves...oooboy. – cHao Jul 18 '12 at 13:44
@FlorianMargaine Then I am happy I don't do any business with you. It is well known that every login and registration form must be secured for any non-trivial website of course. – marco-fiset Jul 18 '12 at 13:55
@marco-fiset Then, stackexchange is a trivial website, I guess. Because when you register, there is no HTTPS: http://stackoverflow.com/users/login#create-account – Florian Margaine Jul 18 '12 at 14:00
@cHao If you website isn't using SSL, but your users are having their sessions stolen because of the local network they're in, you're not the one responsible for it. – Florian Margaine Jul 18 '12 at 14:01
@cHao Finally, if you think having an SSL certificate is good for your business, worth the investment, then sure, take it, even without customers' money. – Florian Margaine Jul 18 '12 at 14:11
@Florian: Yes, you are the one responsible. You have a simple way to protect against that, and couldn't be bothered to spend the, oh wait, [$0](http://www.startssl.com/?app=1). Sounds like negligence to me. – cHao Jul 18 '12 at 14:20
It's not the local network that's the issue. Internet traffic hops across many servers, and data is sent unencrypted. Your usernames and passwords can be pulled and used. Imagine in any business if your administrator password for your website was stolen. Only way you can prevent that is to get an SSL or only use the website from inside the network local to it. – CLo Jul 18 '12 at 14:45
3

@Florian: SE is a *broken* website, if it asks you for personal info but doesn't encrypt it. A site network this huge, particularly one directed at programmers, should know better. For me, though, they redirect to my OpenID provider, which BTW *does* use SSL. The question is whether that brokenness is worth fixing. And for a site like SO that doesn't really have any personal info (aside from password and email address), maybe they've decided it isn't. But that's a decision that has to be made and lived with, rather than just saying "no CC numbers? then screw SSL". – cHao Jul 18 '12 at 14:58
1

I was fooled by the the lack of SSL too, but it turns out the sign up form is actually embedded in an iframe that calls an https address. – methodofaction Jul 18 '12 at 17:50
1

@FlorianMargaine - Google has proven that your claims of SSL slowing down your website as fault. – Ramhound Jul 19 '12 at 12:03
2

Florian, I hope your viewpoint has changed in these past six years. TLS is all but mandatory nowadays. And even back in 2012, nobody should have been sending passwords in cleartext over the Internet. – Dessa Simpson Apr 11 '18 at 19:01

score -1 · Answer 10 · answered Apr 11 '18 at 18:59

Dropping some money on a wildcard SSL certificate may be the best option, or it may not. Take a look at the Caddy web server: https://caddyserver.com/. It has many nice features, notably built in support for grabbing free certificates from Let's Encrypt. You can just specify all your domains in its config file and it will grab certs for them. The other really cool feature is On-Demand TLS. If you enable it, whenever it receives a request for a new domain it doesn't have a cert for, it grabs one during the initial TLS handshake. That means you can have literally thousands of domains and not have to configure each individual one in the Caddy config.

Note: As much as my enthusiasm may seem like it, I am not afflilated with Caddy in any way, shape, or form, other than being an avid user of their product.

score -4 · Answer 11 · answered Jul 18 '12 at 10:26

-4

It's all about the users, they do not provide any kind of security, the certificates are just products to sell.

You may want to take a look at this

http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers

answered Jul 18 '12 at 10:26

user827992

1,175
2
9
19

I don't think what you are saying is right. A certificate does not provide security, but it an identity, and being able to identify objects is the first level of security? – Ozair Kafray Jul 18 '12 at 11:23
identify who? how? if you have a company named "Stuff" you buy a certificate and you are recognized as "Stuff", period. if you say that you are "Random" you are recognized as "Random"; do you think that this guys have a minimal interest in being police mans over the internet? – user827992 Jul 18 '12 at 11:26
No, but we recently bought a certificate for our product vcred.com and, geotrust took 3 months to verify us as a company which is riksof.com. That is for Pakistan, for other countries they take less time, and that is because they verify us. I think verisign would also have a stringent verification process. So, they are not selling it just as a product in my view. One can generate a certificate himself also and then the absence of CA is easily identified – Ozair Kafray Jul 18 '12 at 12:04
this company are an exception, also it depends on what kind of certificate you are buying, but in the end you can just be another person and it's not that hard to achieve that. – user827992 Jul 18 '12 at 12:07
3

-1 Certificates provide security. That's their primary function. – CLo Jul 18 '12 at 14:48

How important is an SSL certificate for a website?

11 Answers11