Why bother with SSL certificates?

Posted July 12, 2010 by Jim Ciallella

There's a common misconception that SSL certificates are not needed if a website has no "sensitive" data worth protecting.

At OC, we contend that every login or registration form should be SSL encrypted, no matter if there's 1 user account or 10,000. Sites with only internal users can get by at zero cost. A real SSL cert can cost as little as $20-30 a year.

Example of Extended Validation SSL Certificate

The What

The SSL protocol encrypts sensitive data moving between a web browser and a web server. It's also used between servers, like with API calls. Visit PayPal, eBay, or any bank site and you're likely to see a URL starting with https://. Modern browsers even use visual indicators like a yellow or green location bar and padlock icons.

The Why

At the very least SSL should protect admin login credentials. You know, the one which controls an entire CMS/website. If there are registered users then the stakes can be even higher.

Imagine I'm a hacker in a public place with a cheap wireless network. I use readily available tools to sniff out email addresses and passwords submitted to unencrypted forms. The odds are pretty good that at least one of these folks uses the same email address and password for other websites. I login to their webmail and do a quick search of old emails for words like "password" or "bank statement" or "paypal". A few minutes later I find emails divulging online banks and probably even a few clear-text passwords. The rest is history.

The How

Self-signed certificates can be created and installed with a bit of practice. If you need an official signed cert then quick and cheap ones can be had within hours. Scripts and instructions on both methods are all over the web. Though, expect to spend a few hours of tweaking and testing the first time.

While some shared hosting environments come with SSL certs, it's likely you'll need root-level access to install your own.

Force the Issue

After installing an SSL certificate it's important to force pages with sensitive forms to always use the https:// version of the URL. This can be enforced with 301 or header redirects. Since SSL comes with overhead it's equally important to redirect back to http:// when https:// is not necessary.

In Drupal, the Secure Pages module makes enforcing secure vs non-secure pages very easy. We've accomplished the same in Wordpress with a few lines of code, but there's probably a plug-in.

It's About Layers

This is functionality many visitors wouldn't realize is missing, and many web developers don't bother to force. Yes, the odds are slim, but it's another layer. It's solving a problem that never happens.


dave ~ July 13, 2010

Jimmy, I hope I'm not the only one who enjoys seeing your rare postings on the blog. I've always been more of a hacker than a desigenr (and when I say hacker, I mean hacker in the context that kids these days don't even understand)-these posts are always a good deviation.

awesome new captcha, btw.

Lovingly crafted by orangecoat with some rights reserved, and a promise not to spam you.

Back to top