• Announcements

    • MannDude

      Current state of vpsBoard   02/04/2017

      Dear vpsBoard members and guests:

      Over the last year or two vpsBoard activity and traffic has dwindled. I have had a change of career and interests, and as such am no longer an active member of the web hosting industry.

      Due to time constraints and new interests I no longer wish to continue to maintain vpsBoard. The web site will remain only as an archive to preserve and showcase some of the great material, guides, and industry news that has been generated by members, some of which I remain in contact to this very day and now regard as personal friends.

      I want to thank all of our members who helped make vpsBoard the fastest growing industry forum. In it's prime it was an active and ripe source of activity, news, guides and just general off-topic banter and fun.

      I wish all members and guests the very best, whether it be with your business or your personal projects.

      -MannDude
Wambo

When should you use SSL?

61 posts in this topic

On 11/29/2015, 3:33:53, drmike said:

If you can deal with the cost and complexity of running SSL, by all means, do it for everything.

I 100% agree with this. You can get an SSL as cheap as $7. You should always use an SSL if you can.

Share this post


Link to post
Share on other sites
3 hours ago, Nerdie said:

I 100% agree with this. You can get an SSL as cheap as $7. You should always use an SSL if you can.

Under $5 tyvm ;)

1 person likes this

Share this post


Link to post
Share on other sites
On 12/3/2015, 2:09:54, zionvps said:

@joepie91

If you look in the right place you can get one for less than $5 a year.

If you are running a web server manually, i assume you have a grasp of the configuration. Adding SSL support only requires 2-3 lines of code. If you want a better cipher strength you don't have to do a lot of research, just add the recommendations by ssllabs or mozilla. If you are using a panel like cpanel its point and click.

In the website section you just have to make sure all the internal and external resources are loaded over https 

$5/year for a rubber stamp is a significant cost if you run many non-commercial projects. It gets far more expensive if you need eg. a wildcard certificate for dealing with subdomains.

As for complexity, you are overlooking many aspects of SSL/TLS configuration (think HSTS and HPKP, for example, as well as the decisions what SSL/TLS versions to support).

Share this post


Link to post
Share on other sites

Its more than adding two lines of code - you have to generate a CSR, jump through some verification hoops (usually just email - but some small site domains may not have email set up at all), and so on, upload and download files etc.

I think that is what Let’s Encrypt is changing. StartSSL has offered free SSL certs for a while now, but Let’s Encrypt makes the process a lot easier.

Share this post


Link to post
Share on other sites

These may be helpful:

https://www.eff.org/deeplinks/2011/10/how-secure-https-today
http://www.sott.net/article/275524-Why-HTTPS-and-SSL-are-not-as-secure-as-you-think

Quote

In this day and age of well-known NSA spying, everyone keeps saying that the only way to be safe is to use SSL/TLS, commonly known as "browsing with https://".

The sad reality is that HTTPS does virtually nothing to protect you from the prying eyes of alphabet soup agencies - or anybody else with enough knowledge about how these supposedly "secure" connections actually work.

It's true that connecting to web sites with SSL will certainly prevent "script kiddies" and other more winky opponents from eavesdropping on your surfing or otherwise interfering in your affairs. But as for the Real Bad Guys, forget it...

We shall begin by taking a brief dive down the rabbit hole of SSL, hopefully in a way that will make sense to even the least technically inclined among us.

tl;dr abolish Certificate Authorities or bust. The Entire Concept is as rotten to the core as the x86 apple of the Internet's 13 Root Name Servers' eyes... but you already knew that so just install an SSL cert or whatever.


P.S. Obligatory 'controversial alternative': https://github.com/okTurtles/dnschain
P.P.S. Before joining the 'Lets Encrypt' progression toward utopia, you may want to know that its installation process requires connecting to pypi.python.org.

1 person likes this

Share this post


Link to post
Share on other sites
On 11/29/2015 at 2:39 AM, Wambo said:

When do you need to use it? What if your site isn't public facing is there any benefit in having an SSL?

Whenever you do any type of ecommerce on the internet and need to encrypt sensitive information such as customer data. You wouldn't even be able to get a merchant account with SSL on your site. If your site isn't open to the public than I really don't see any point in having SSL.

Share this post


Link to post
Share on other sites

When should you use SSL?

  • To secure from data (logins, emails) - plain text is a bad idea.
  • To give the user the possibility to identify the server

I don't use crypt a lot but signing is a must. Why?
Because crypt is to secure that only the receipiant can read the message but signing is used to ensure from whom the message was sent. All about identity management.

 

Share this post


Link to post
Share on other sites

At least the default *.pem and *.key values in services like nginx and postfix are set to 'snakeoil'.

Dunno, SS* comes off as a tired old confidence trick to me. Guess it's probably more of a structural problem than anything.

Share this post


Link to post
Share on other sites

if you are going to buy something online I think its a given you have to do it from a provider that has SSL on their site. Depending on what you are looking to buy then I look to see if they have the Green address bar.

A company that is selling online that doesn't have an SSL or an EV Ssl tells me they don't really care about security or that they are not planning on being around long enough for it to really matter. IMO

Share this post


Link to post
Share on other sites

You will look more "trustworthy" by the green ssl sign to your customers. Also it helps you google rank now as they now count ssl in their algorithms.

And obviously if you store customers's data or do online transactions, then SSL is compulsary.

Share this post


Link to post
Share on other sites
3 hours ago, Stevensst said:

You will look more "trustworthy" by the green ssl sign to your customers. Also it helps you google rank now as they now count ssl in their algorithms.

And obviously if you store customers's data or do online transactions, then SSL is compulsary.

The Green SSL or EV SSLs are costly and can go upto $150/year or even above. These SSLs acts and converts a lot better and builds a better trust as compared to those normal SSLs

Share this post


Link to post
Share on other sites
19 hours ago, CenTex Hosting said:

if you are going to buy something online I think its a given you have to do it from a provider that has SSL on their site. Depending on what you are looking to buy then I look to see if they have the Green address bar.

A company that is selling online that doesn't have an SSL or an EV Ssl tells me they don't really care about security or that they are not planning on being around long enough for it to really matter. IMO

I remember last year when some of the leading Binary Options brokers weren't even bothering with SSL certs, and these are websites asking for credit card details with a minimum deposit of $250. Seemed kind of hilarious, but apparently had no detrimental effect on their businesses.

Share this post


Link to post
Share on other sites

Just a hint if you plan to use a CDN at all SSL mite not be the best answer (it can get expensive to add SSL to CDN content)

Share this post


Link to post
Share on other sites

High traffic sites, sites with huge client data or allowing any type of online payment must use SSL certificate. 

Share this post


Link to post
Share on other sites

If you have e-commerce industry and If you’re serious about doing business online, you need SSL. 

Share this post


Link to post
Share on other sites

Not sure if it is true for VPS businesses, which have a relatively sophisticated customers, but in most businesses you will scare off more customers by having SSL issues (self signed SSL, certificate authorities that are not recognised by all browsers, and an awful lot of things that can go wrong with SSL).

As @HN-Matt says, most people do not notice when you do not have SSL when you should have.

Share this post


Link to post
Share on other sites

If your project involves monetary transactions, or storing user's information, you should go for SSL. It increases the trust of your customers/visitors. If not, there is no need for it.

In case you want that green lock on your site, just because it looks good, try getting free SSL from cloudflare, startssl etc.

Share this post


Link to post
Share on other sites

Try to use it for most things, but for online shops / storing customer data then do your best to use SSL :)

Share this post


Link to post
Share on other sites
On 1/11/2016 at 10:11 PM, PowerUpHosting-Udit said:

The Green SSL or EV SSLs are costly and can go upto $150/year or even above. These SSLs acts and converts a lot better and builds a better trust as compared to those normal SSLs

I got my Comodo EV for $99 per year direct. Not sure how long the offer will last, but still.
Mind you, I looked at all EV providers and chose Comodo over Geotrust not because of the price.

On 1/28/2016 at 0:29 PM, DMMediaLtd said:

Just a hint if you plan to use a CDN at all SSL mite not be the best answer (it can get expensive to add SSL to CDN content)

There's a few CDN's that allow you to have your own custom SSL for no cost. KeyCDN and CDN77 are two that I know of.

Share this post


Link to post
Share on other sites