When should you use SSL?

[Nerdie]

If you can deal with the cost and complexity of running SSL, by all means, do it for everything.

I 100% agree with this. You can get an SSL as cheap as $7. You should always use an SSL if you can.

 

[mitgib]

I 100% agree with this. You can get an SSL as cheap as $7. You should always use an SSL if you can.

Under $5 tyvm

 

[joepie91]

@joepie91


If you look in the right place you can get one for less than $5 a year.


If you are running a web server manually, i assume you have a grasp of the configuration. Adding SSL support only requires 2-3 lines of code. If you want a better cipher strength you don't have to do a lot of research, just add the recommendations by ssllabs or mozilla. If you are using a panel like cpanel its point and click.


In the website section you just have to make sure all the internal and external resources are loaded over https 

$5/year for a rubber stamp is a significant cost if you run many non-commercial projects. It gets far more expensive if you need eg. a wildcard certificate for dealing with subdomains.


As for complexity, you are overlooking many aspects of SSL/TLS configuration (think HSTS and HPKP, for example, as well as the decisions what SSL/TLS versions to support).

 

[graeme]

Its more than adding two lines of code - you have to generate a CSR, jump through some verification hoops (usually just email - but some small site domains may not have email set up at all), and so on, upload and download files etc.

I think that is what Let’s Encrypt is changing. StartSSL has offered free SSL certs for a while now, but Let’s Encrypt makes the process a lot easier.

 

[HN-Matt]

These may be helpful:

https://www.eff.org/deeplinks/2011/10/how-secure-https-today
http://www.sott.net/article/275524-Why-HTTPS-and-SSL-are-not-as-secure-as-you-think

In this day and age of well-known NSA spying, everyone keeps saying that the only way to be safe is to use SSL/TLS, commonly known as "browsing with https://".


The sad reality is that HTTPS does virtually nothing to protect you from the prying eyes of alphabet soup agencies - or anybody else with enough knowledge about how these supposedly "secure" connections actually work.


It's true that connecting to web sites with SSL will certainly prevent "script kiddies" and other more winky opponents from eavesdropping on your surfing or otherwise interfering in your affairs. But as for the Real Bad Guys, forget it...

We shall begin by taking a brief dive down the rabbit hole of SSL, hopefully in a way that will make sense to even the least technically inclined among us.

tl;dr abolish Certificate Authorities or bust. The Entire Concept is as rotten to the core as the x86 apple of the Internet's 13 Root Name Servers' eyes... but you already knew that so just install an SSL cert or whatever.



P.S. Obligatory 'controversial alternative': https://github.com/okTurtles/dnschain
P.P.S. Before joining the 'Lets Encrypt' progression toward utopia, you may want to know that its installation process requires connecting to pypi.python.org.

 

[ioZoom]

When do you need to use it? What if your site isn't public facing is there any benefit in having an SSL?

Whenever you do any type of ecommerce on the internet and need to encrypt sensitive information such as customer data. You wouldn't even be able to get a merchant account with SSL on your site. If your site isn't open to the public than I really don't see any point in having SSL.

 

[wlanboy]

When should you use SSL?

• To secure from data (logins, emails) - plain text is a bad idea.
  
• To give the user the possibility to identify the server
  

I don't use crypt a lot but signing is a must. Why?
Because crypt is to secure that only the receipiant can read the message but signing is used to ensure from whom the message was sent. All about identity management.

 

[HN-Matt]

At least the default *.pem and *.key values in services like nginx and postfix are set to 'snakeoil'.

Dunno, SS* comes off as a tired old confidence trick to me. Guess it's probably more of a structural problem than anything.

 

[CenTex Hosting]

if you are going to buy something online I think its a given you have to do it from a provider that has SSL on their site. Depending on what you are looking to buy then I look to see if they have the Green address bar.


A company that is selling online that doesn't have an SSL or an EV Ssl tells me they don't really care about security or that they are not planning on being around long enough for it to really matter. IMO

 

[Stevensst]

You will look more "trustworthy" by the green ssl sign to your customers. Also it helps you google rank now as they now count ssl in their algorithms.


And obviously if you store customers's data or do online transactions, then SSL is compulsary.

 

[PowerUpHosting-Udit]

You will look more "trustworthy" by the green ssl sign to your customers. Also it helps you google rank now as they now count ssl in their algorithms.


And obviously if you store customers's data or do online transactions, then SSL is compulsary.

The Green SSL or EV SSLs are costly and can go upto $150/year or even above. These SSLs acts and converts a lot better and builds a better trust as compared to those normal SSLs

 

[HN-Matt]

if you are going to buy something online I think its a given you have to do it from a provider that has SSL on their site. Depending on what you are looking to buy then I look to see if they have the Green address bar.


A company that is selling online that doesn't have an SSL or an EV Ssl tells me they don't really care about security or that they are not planning on being around long enough for it to really matter. IMO

I remember last year when some of the leading Binary Options brokers weren't even bothering with SSL certs, and these are websites asking for credit card details with a minimum deposit of $250. Seemed kind of hilarious, but apparently had no detrimental effect on their businesses.

 

[DMMediaLtd]

Just a hint if you plan to use a CDN at all SSL mite not be the best answer (it can get expensive to add SSL to CDN content)

 

[hmb-patrick]

High traffic sites, sites with huge client data or allowing any type of online payment must use SSL certificate. 

 

[Gustavo]

If you have e-commerce industry and If you’re serious about doing business online, you need SSL. 

 

[graeme]

Not sure if it is true for VPS businesses, which have a relatively sophisticated customers, but in most businesses you will scare off more customers by having SSL issues (self signed SSL, certificate authorities that are not recognised by all browsers, and an awful lot of things that can go wrong with SSL).

As @HN-Matt says, most people do not notice when you do not have SSL when you should have.

 

[VPSclub]

If your project involves monetary transactions, or storing user's information, you should go for SSL. It increases the trust of your customers/visitors. If not, there is no need for it.


In case you want that green lock on your site, just because it looks good, try getting free SSL from cloudflare, startssl etc.

 

[SkyNetHosting]

SEO point of view, you should use SSL by default and google expect you to use SSL when ever its possible. 


https://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html

 

[GlideServers]

Try to use it for most things, but for online shops / storing customer data then do your best to use SSL

 

[Localnode]

The Green SSL or EV SSLs are costly and can go upto $150/year or even above. These SSLs acts and converts a lot better and builds a better trust as compared to those normal SSLs

I got my Comodo EV for $99 per year direct. Not sure how long the offer will last, but still.
Mind you, I looked at all EV providers and chose Comodo over Geotrust not because of the price.

Just a hint if you plan to use a CDN at all SSL mite not be the best answer (it can get expensive to add SSL to CDN content)

There's a few CDN's that allow you to have your own custom SSL for no cost. KeyCDN and CDN77 are two that I know of.