# When should you use SSL?



## Wambo (Nov 29, 2015)

When do you need to use it? What if your site isn't public facing is there any benefit in having an SSL?


----------



## drmike (Nov 29, 2015)

If you can deal with the cost and complexity of running SSL, by all means, do it for everything.


----------



## kunnu (Nov 29, 2015)

If your website is storing customer data then use SSL, You can also use SSL on forum/blog so user can search on your site without fear of data leak.


----------



## Licensecart (Nov 29, 2015)

Some people disagree with me but if you can get a dedicated IP or a host with a SNI you should always use SSL, it stops most MITM attacks and allows that extra confidence with the website.


----------



## GalaxyHostPlus (Nov 29, 2015)

SSL shows website is trusted as webmaster care of taking secure of website also Google likes SSL for SEO so it will give better results than non SSL website.


----------



## mitgib (Nov 29, 2015)

Licensecart said:


> allows that extra confidence with the website.



Explain what you mean here, to me I see this and instantly think marketing mumbo jumbo, the rest of your statement is spot on, to prevent MITM, SSL does not provide any actual security server side than that.


----------



## Licensecart (Nov 29, 2015)

mitgib said:


> Explain what you mean here, to me I see this and instantly think marketing mumbo jumbo, the rest of your statement is spot on, to prevent MITM, SSL does not provide any actual security server side than that.



ok now would you buy from a provider who had SSL on their site or would you buy from a provider without SSL?


You would probably go for the provider who has the SSL like most people including me.


----------



## eva2000 (Nov 30, 2015)

I use SPDY SSL or HTTP/2 SSL purely for pagespeed


see comparison tests at http://centminmod.com/http2-versus-spdy-nginx.html#http2version2 and https://h2ohttp2.centminmod.com/webpagetests1.html


Centmin Mod LEMP stack will soon get Letsencrypt free SSL integration http://centminmod.com/letsencrypt-freessl.html so Centmin Mod users can easily auto deploy a Nginx HTTP/2 based SSL site


----------



## Layershift Dora (Nov 30, 2015)

It is generally recommended to use an SSL certificate on your site to increase users confidence ( SSL is an encryption technology used to protect sensitive information passed between a web server and a web browser). If your website doesn't have an SSL, browsers will display warning messages, some of the newer browser versions pro-actively encourage visitors to close the page 


There are many types of SSL certificates, depending on the validation type or the certificate type. The basic Domain Control Validated SSL certificates (which verify that the person who requests the certificate has “administrative” access to the domain ) are the cheapest ones and the easiest to validate and install on your domain. In the middle you have the Organisation Validates ones -  the certificate authority manually checks some business identity documentation to validate the organisation behind the domain. At the top you have the Extended Validation ones which turn the address bar green - this is of particular significance in e-commerce scenarios where this directly translates to a measurable increase in sales as a direct result of the increased customer confidence. 


There are also the single domain certificates - they cover a single domain, the multi-domain ones - which protect up to 210 domains hosted on a server and the wildcard ones - they protect all of the subdomains of your domain.


Long story short, SSL certificates increase users confidence and it's good to have them.


----------



## Layershift Dora (Nov 30, 2015)

And, if you website is not public, it's good to have it on the important areas of your website, to encrypt the data - as an extra security measure - you can never be to precocious nowadays I guess.


----------



## KuJoe (Nov 30, 2015)

Layershift Dora said:


> And, if you website is not public, it's good to have it on the important areas of your website, to encrypt the data - as an extra security measure - you can never be to precocious nowadays I guess.



Yeah, because of all of those hackers on your intranet right?


----------



## Layershift Dora (Nov 30, 2015)

>  Yeah, because of all of those hackers on your intranet right? 


 If you have sensitive areas on your website (even if it's not public) it's recommended to encrypt the data between the server and your website -  it ensures that all data passed between them remains private and integral, as the communication is performed over the HTTPS protocol. It's not mandatory,but it is a plus, that's all.


----------



## GIANT_CRAB (Nov 30, 2015)

Any place that has login/registration or personal info. Sadly, LowEndTalk doesn't give 2cents/shits about TLS.


Meh, they're not the only ones doing this...


----------



## joepie91 (Nov 30, 2015)

Always. No exceptions. Let's Encrypt (which should be launching next month) will make this more feasible for free.


----------



## zionvps (Dec 2, 2015)

SSL is so cheap these days you should implement it no matter what content you are hosting. Not only it encrypts the connection preventing MITM attacks but it increases the confidence even in a private website. Contrary to what others say, SSL is extremely easy to implement and it takes only minutes.


----------



## risharde (Dec 2, 2015)

Thinking about the op's question, it would be useful even if on the intranet. Underestimating users on your network is the first flaw you can make. I would use it if the intranet site has confidential content and gives you the added confidence that connections between the server and users are encrypted.


----------



## joepie91 (Dec 2, 2015)

zionvps said:


> SSL is so cheap these days you should implement it no matter what content you are hosting. Not only it encrypts the connection preventing MITM attacks but it increases the confidence even in a private website. Contrary to what others say, SSL is extremely easy to implement and it takes only minutes.



Well, no, it's not easy (yet) - at least not to do it _correctly_. And it isn't exactly cheap either. I'm hoping that Let's Encrypt will resolve both of those issues.


----------



## zionvps (Dec 3, 2015)

@joepie91


If you look in the right place you can get one for less than $5 a year.


If you are running a web server manually, i assume you have a grasp of the configuration. Adding SSL support only requires 2-3 lines of code. If you want a better cipher strength you don't have to do a lot of research, just add the recommendations by ssllabs or mozilla. If you are using a panel like cpanel its point and click.


In the website section you just have to make sure all the internal and external resources are loaded over https


----------



## eva2000 (Dec 3, 2015)

Letsencrypt public beta is open now https://letsencrypt.org/2015/11/12/public-beta-timing.html get your SSL certificates !


----------



## Localnode (Dec 4, 2015)

Considering Letsencrypt is free - there is really no excuse to _not _use an SSL.


Some people are hesitant with using an SSL but, the disadvantages of using SSL are few and the advantages far outweigh them.


----------



## Nerdie (Dec 4, 2015)

drmike said:


> If you can deal with the cost and complexity of running SSL, by all means, do it for everything.



I 100% agree with this. You can get an SSL as cheap as $7. You should always use an SSL if you can.


----------



## mitgib (Dec 4, 2015)

Nerdie said:


> I 100% agree with this. You can get an SSL as cheap as $7. You should always use an SSL if you can.



Under $5 tyvm


----------



## joepie91 (Dec 4, 2015)

zionvps said:


> @joepie91
> 
> 
> If you look in the right place you can get one for less than $5 a year.
> ...



$5/year for a rubber stamp is a _significant_ cost if you run many non-commercial projects. It gets far more expensive if you need eg. a wildcard certificate for dealing with subdomains.


As for complexity, you are overlooking many aspects of SSL/TLS configuration (think HSTS and HPKP, for example, as well as the decisions what SSL/TLS versions to support).


----------



## graeme (Jan 7, 2016)

Its more than adding two lines of code - you have to generate a CSR, jump through some verification hoops (usually just email - but some small site domains may not have email set up at all), and so on, upload and download files etc.

I think that is what Let’s Encrypt is changing. StartSSL has offered free SSL certs for a while now, but Let’s Encrypt makes the process a lot easier.


----------



## HN-Matt (Jan 7, 2016)

These may be helpful:

https://www.eff.org/deeplinks/2011/10/how-secure-https-today
http://www.sott.net/article/275524-Why-HTTPS-and-SSL-are-not-as-secure-as-you-think



> In this day and age of well-known NSA spying, everyone keeps saying that the only way to be safe is to use SSL/TLS, commonly known as "browsing with https://".
> 
> 
> The sad reality is that HTTPS does virtually nothing to protect you from the prying eyes of alphabet soup agencies - or anybody else with enough knowledge about how these supposedly "secure" connections actually work.
> ...



tl;dr abolish Certificate Authorities or bust. The Entire Concept is as rotten to the core as the x86 apple of the Internet's 13 Root Name Servers' eyes... but you already knew that so just install an SSL cert or whatever.



P.S. Obligatory 'controversial alternative': https://github.com/okTurtles/dnschain
P.P.S. Before joining the 'Lets Encrypt' progression toward utopia, you may want to know that its installation process requires connecting to pypi.python.org.


----------



## ioZoom (Jan 10, 2016)

Wambo said:


> When do you need to use it? What if your site isn't public facing is there any benefit in having an SSL?



Whenever you do any type of ecommerce on the internet and need to encrypt sensitive information such as customer data. You wouldn't even be able to get a merchant account with SSL on your site. If your site isn't open to the public than I really don't see any point in having SSL.


----------



## wlanboy (Jan 10, 2016)

When should you use SSL?


To secure from data (logins, emails) - plain text is a bad idea.

To give the user the possibility to identify the server


I don't use crypt a lot but signing is a must. Why?
Because crypt is to secure that only the receipiant can read the message but signing is used to ensure from whom the message was sent. All about identity management.


----------



## HN-Matt (Jan 10, 2016)

At least the default *.pem and *.key values in services like nginx and postfix are set to 'snakeoil'.

Dunno, SS* comes off as a tired old confidence trick to me. Guess it's probably more of a structural problem than anything.


----------



## CenTex Hosting (Jan 10, 2016)

if you are going to buy something online I think its a given you have to do it from a provider that has SSL on their site. Depending on what you are looking to buy then I look to see if they have the Green address bar.


A company that is selling online that doesn't have an SSL or an EV Ssl tells me they don't really care about security or that they are not planning on being around long enough for it to really matter. IMO


----------



## Stevensst (Jan 11, 2016)

You will look more "trustworthy" by the green ssl sign to your customers. Also it helps you google rank now as they now count ssl in their algorithms.


And obviously if you store customers's data or do online transactions, then SSL is compulsary.


----------



## PowerUpHosting-Udit (Jan 11, 2016)

Stevensst said:


> You will look more "trustworthy" by the green ssl sign to your customers. Also it helps you google rank now as they now count ssl in their algorithms.
> 
> 
> And obviously if you store customers's data or do online transactions, then SSL is compulsary.



The Green SSL or EV SSLs are costly and can go upto $150/year or even above. These SSLs acts and converts a lot better and builds a better trust as compared to those normal SSLs


----------



## HN-Matt (Jan 11, 2016)

CenTex Hosting said:


> if you are going to buy something online I think its a given you have to do it from a provider that has SSL on their site. Depending on what you are looking to buy then I look to see if they have the Green address bar.
> 
> 
> A company that is selling online that doesn't have an SSL or an EV Ssl tells me they don't really care about security or that they are not planning on being around long enough for it to really matter. IMO



I remember last year when some of the leading Binary Options brokers weren't even bothering with SSL certs, and these are websites asking for credit card details with a minimum deposit of $250. Seemed kind of hilarious, but apparently had no detrimental effect on their businesses.


----------



## DMMediaLtd (Jan 27, 2016)

Just a hint if you plan to use a CDN at all SSL mite not be the best answer (it can get expensive to add SSL to CDN content)


----------



## hmb-patrick (Feb 7, 2016)

High traffic sites, sites with huge client data or allowing any type of online payment must use SSL certificate.


----------



## Gustavo (Feb 12, 2016)

If you have e-commerce industry and If you’re serious about doing business online, you need SSL.


----------



## graeme (Feb 12, 2016)

Not sure if it is true for VPS businesses, which have a relatively sophisticated customers, but in most businesses you will scare off more customers by having SSL issues (self signed SSL, certificate authorities that are not recognised by all browsers, and an awful lot of things that can go wrong with SSL).

As @HN-Matt says, most people do not notice when you do not have SSL when you should have.


----------



## VPSclub (Feb 12, 2016)

If your project involves monetary transactions, or storing user's information, you should go for SSL. It increases the trust of your customers/visitors. If not, there is no need for it.


In case you want that green lock on your site, just because it looks good, try getting free SSL from cloudflare, startssl etc.


----------



## SkyNetHosting (Feb 19, 2016)

SEO point of view, you should use SSL by default and google expect you to use SSL when ever its possible. 


https://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html


----------



## GlideServers (Feb 24, 2016)

Try to use it for most things, but for online shops / storing customer data then do your best to use SSL


----------



## Localnode (Feb 28, 2016)

PowerUpHosting-Udit said:


> The Green SSL or EV SSLs are costly and can go upto $150/year or even above. These SSLs acts and converts a lot better and builds a better trust as compared to those normal SSLs



I got my Comodo EV for $99 per year direct. Not sure how long the offer will last, but still.
Mind you, I looked at all EV providers and chose Comodo over Geotrust not because of the price.



DMMediaLtd said:


> Just a hint if you plan to use a CDN at all SSL mite not be the best answer (it can get expensive to add SSL to CDN content)



There's a few CDN's that allow you to have your own custom SSL for no cost. KeyCDN and CDN77 are two that I know of.


----------



## NodeBlade (Feb 28, 2016)

Localnode said:


> There's a few CDN's that allow you to have your own custom SSL for no cost. KeyCDN and CDN77 are two that I know of.



Most provide a shared SSL too.


----------



## Bert (Feb 28, 2016)

The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.


----------



## layeronline (Mar 15, 2016)

If for intranet site, you may not need SSL, but for public facing sites, SSL is almost a must, especially if your site has login or customer data.


----------



## DomainBop (Mar 15, 2016)

layeronline said:


> If for intranet site, you may not need SSL, but for public facing sites, SSL is almost a must, especially if your site has login or customer data.



If it's a company Intranet then you definitely need to offer your company's employees secure, encrypted, and authenticated services and internal sites...which means you use SSLs. Security on an Intranet is of extreme importance when you consider that on the typical Intranet critical company data (including financial data and personal data) is being transfered and shared amongst employees using applications like collaboration tools, project management sales/accounting/CRM tools, etc 


If it's an Intranet one option to save costs would be to issue self-signed certificates and then manually provision trust of those certs in your devices. Setting up a private certificate authority to issue SSLs for your company's Intranet-connected devices is probably the best option.  


Paid options would be using the same FQDN with all of your devices, if possible, and buy a wildcard cert. As of Nov 1, 2015 publicly trusted SSL certificates no longer support reserved IP addresses or internal server names (see https://cabforum.org/internal-names/ )so you must use a FQDN with all devices if you want to buy publicly trusted SSL's for your Intranet (a few vendors like GlobalSign are now offering special Intranet SSLs that are issued using non-public certificate authorities so they will work with reserved IPs and internal names).


----------



## michyprima (Apr 3, 2016)

I prefer using SSL whenever I could, because of HTTP2, but I avoid using SSL for wide-audiences websites if it's not strictly needed (i.e. storing user data, processing payments etc) because there are still lots of clients out there not using SNI (Die XP, die!) and it would require you having a different IP address for each website and that's simply a waste of resources most of the times.


My blog, as an example, is a personal site, runs on SSL+HSTS, and I couldn't care less if it weren't available to someone, as it's just a blog. My company's main website, on the other end, is running on the same VPS, has SSL, but I configured nginx to serve its cert first if the client is not using SNI.


Another option is to use a single SSL cert for all websites, using wildcard certificates and/or multiple domains certificates but that may turn up expensive.


----------



## VpsAG (Apr 3, 2016)

I recommend using it for everything. I am looking forward to a future where everything will use SSL.


----------



## Jive (Apr 3, 2016)

VpsAG said:


> I recommend using it for everything. I am looking forward to a future where everything will use SSL.



I stand by this as well. With the likes of Let's Encrypt and probably others providing SSL certificates for free we don't really have much reason _not_ to use SSL.


Unless of course you're working for Big Corporate using 25 year old COBOL scripts to keep a company alive and with Java 6's incompatibility with SNI wreaking havoc when you're trying to connect to 3rd party APIs #sometimesthigsjustsuck


https://letsencrypt.org


----------



## 3v-manager (Apr 9, 2016)

SSL certificate is necessary for anyone who wants to protect your online business.
Any information send your customers through the website, whether it is a name, address, phone number and even more information on credit cards or bank accounts, should proceed in an encrypted form.
Availability of SSL-certificate on the site indicates that your site is safe.


----------



## RombelIrk (Jul 5, 2016)

Besides, search engines prefer web-sites with SSL over the others.


----------



## SafehouseCloud (Jul 13, 2016)

Today with free SSL certificates available I wouldn't even host a blog without SSL.


----------



## qchost (Jul 13, 2016)

SafehouseCloud said:


> Today with free SSL certificates available I wouldn't even host a blog without SSL.



Same - there is no reason not to use SSL..


----------



## WiredBlade (Jul 26, 2016)

If you are storing customer data or any sort of personal information, you will have to use SSL since the risk of information leak is just too high. And it is good for SEO purposes as well. A single domain validation SSL certificate costs only $20/year so it is a small price to pay.


----------



## SLL - Conor (Jul 27, 2016)

I would say its recommended that you use it where you can and certainly essential to use SSL where there is a transmission of sensitive/personal data (EG: login details).


----------



## Walnuthost (Aug 7, 2016)

Wambo said:


> When do you need to use it? What if your site isn't public facing is there any benefit in having an SSL?



More than protecting sensitive information, using SSL can also help you gain the trust of your customer. Customers will most likely trust your website when they see a lock icon or a green bar or other visual cues that their connection is secured.


----------



## Nogics Technologies (Sep 21, 2016)

I recommend every site to go for SSL/TLS encryption as it make your members logins and data secured/encrypted. Now a days you will see plenty of sites who do not process payments online but still using SSL/TLS Certs. Yes with SSL the connection speed becomes slow but it's worth to be secured instead of offering higher page load time


----------



## jeff2600 (Sep 26, 2016)

Always. It's easy to implement, it's dirt-cheap (or even free) and it offers a (slight) boost in Google rankings. So why NOT to use SSL?


----------



## buildmyblock (Oct 19, 2016)

ssl should be used all the time even if a website isn't public facing there is always the possibility that someone could root your pc and monitor your connections / packets to sniff out certain things always be


----------



## copperhost (Nov 22, 2016)

when you want site to be more secure and highly recommended when you are selling a product or products


----------



## AdvanceSolution (Jan 5, 2017)

SSL seal is kind of trustworthy website in web world  also you  will get advantage in Seo.


----------



## AlphaNine_Vini (Jan 11, 2017)

I bring trust for user user. If you have credit card payment facility within your website . Then it become necessary to have a SSL . It cost a year. Its worthy to purchase one.


----------



## Servers4You (Jan 15, 2017)

SSL is a must in any web browser now, whether that be a CloudFlare Free SSL or your own EV Certificate. It shows trust that you are protecting your visitors/customers data, however they interact with your website. As of 2017, Chrome have also implemented higher CEO results in search engines as well as the browser showing a grey "i" icon showing it is not a secure connection. Even a basic Comodo PositiveSSL Certificate costs barely anything per year ($7/yr) or Geotrust RapidSSL Certificate ($13/yr) - it won't break the bank - yet brings out the trust in a website,


@MannDude, @HalfEatenPie &@MartinD you might want to consider getting SSL for VPS Board as your SSL Certificate expired on the 5th of this month... Contact me if you need one - can give you a free PositiveSSL or RapidSSL if you need one...


----------



## ctrlswitches (Jul 27, 2017)

SSL certificate is the best way to secure online transactions and your customers transaction as well.


----------



## maounique (Jul 27, 2017)

I am kinda biased against ssl for a while.
1. I think the CA system is broken fundamentally, however, there are attempts to patch it up lately, but I dont see that solving any serious issue, is like patching windows, it kinda works, even enough that banks and governments use it, however things get grimmer by the day and it will eventually implode;
2. When I see an online forum where people exchange ideas for free under an alias without being asked for personal details and it is not working due to some SSL problem in a browser or another because the admins insist on sanctimonious ssl-only approaches while having no actual clue on how that works and why it would be needed on such a platform, I keep thinking about the trade-offs between security and functionality. If you want privacy, SSL wont protect you, you use a VPN and it is better encrypted and more out of reach of bad actors than any SSL-based system will ever be.
If you are worried your password will leak due to MITM attacks and this will cause you serious injury, you are not using the right authentication system, consider 2-ways ones.


----------



## graeme (Jul 27, 2017)

I agree the CA system is messy. I do not think it will implode though - what is going to replace it? It would have been nice to have something that works more like ssh does (setup first time you connect, warn of changes), possibly supplemented by direct distribution of some sort of key for really important sites.


----------



## maounique (Jul 29, 2017)

graeme said:


> I do not think it will implode though - what is going to replace it?



1. I think it is used for too many things which may need different approaches. For example, a central authority to sign certificates for various software updates from various vendors is not necessary, they can issue own certificate, user can accept it and install by default with the app itself. There are many such scenarios where the scale is more pgp-like than ssl-like, I think the question "what do we try to achieve here, security-wise?" is not asked seriously enough when a system is designed. "This is how it is done" is the answer by default in too many places. It takes the burden of thinking out of the box from you, but it also means potentially great ideas do not pop up, let alone make it into the mainstream.
2. Nobody and nothing is irreplaceable. The cemeteries are full of irreplaceable people, how can we seriously think a flawed security model cannot be replaced? There are attempts with blockchain and other technologies derived, quantum keys embedded in light and other preposterous stuff for many, but if we do not try, it will never happen. Before Tesla (both the man and the company) many people said "it will never happen". Some still say that... Both Musk and Jobs used existing technologies in a different way, combined, beautified, made appealing... The result is a revolution in progress, even tho they did not actually invent much.
3. I say this for a long time, we have the technology, the will and the tools to build a "layer 8" internet, entirely encrypted, floating filesystems, even VMs, a virtual home for everyone, powered by the shared resources of many, bits and pieces of traffic, storage and cpu, completely anonymous, uncrackable without actual police work (infiltration, social engineering, undercover agents, etc). As that is done for one purpose, the same "Layer 8" can be used for the complete opposite, absolute identification and message signing over a completely encrypted p2p connection.
Absolutely everything needed is out there (sure, not specifically designed for this, but trivially simple to adapt), need the organizing to make it happen in spite of Big Corporations, Cults and their minions, the nation states.


----------



## Aldryic C'boas (Jul 31, 2017)

I can't figure out which public office you're running for...


----------



## maounique (Jul 31, 2017)

Me and Public dont match. Even the books I publish anonymously through other people which dont know me


----------



## Jackwebbby (Aug 4, 2017)

I have seen swissns.ch offered ssl certificates absolutely for FREE. No hidden fees or surprises.
Check out: https://www.swissns.ch/site/lps/ssl/index.html
And also youtube video:


----------



## maounique (Aug 4, 2017)

Ended 4 days ago.


----------



## UltratechHost (Aug 6, 2017)

Now a days SSL based website is a part of SEO technique.


----------



## ChrisM (Aug 7, 2017)

Jackwebbby said:


> I have seen swissns.ch offered ssl certificates absolutely for FREE.



You can also get free SSL certs via cPanel's AutoSSL.


----------



## Aldryic C'boas (Aug 7, 2017)

ChrisM said:


> You can also get free SSL certs via cPanel's AutoSSL.



So long as you don't mind not being able to bypass a potentially massive queue <_<


----------



## Jonathan (Aug 8, 2017)

UltratechHost said:


> Now a days SSL based website is a part of SEO technique.



Kinda like having different "C class IPs" for each site, riiiight?

_PSA: I know there's some minor value to SSL at least with Google these days_


----------



## Geek (Aug 9, 2017)

While Google does slightly favor the presence of TLS, it's a very small piece of the ranking pie.
Every now and then when I Google something specific, I'll look for encryption in the URL. Most times I see a pretty steady mix of both HTTP/HTTPS in the results.

Assuming you're following Google's butthurtedness over Symantec's vetting of OV certs, you know that Google will begin to distrust all Symantec's roots (incl., Rapidssl/GeoTrust/Thawte brands). Going forward next year all Symantec certs will be cross-signed by DigiCert. Below, a timeline for Chrome. FF will follow suit.


 
https://godfatha.jetfire.io/img/images/2017/08/08/image.png​


----------

