Products > Security

If you have a website with no customer data do you really need a ssl certificate

(1/5) > >>

I have a few websites, these sites are one way in the sense that the outside world can view them, but I don't have any user input to purchase anything or a database of customer or client info etc.

There is a page with email address, that's it.

Do I really need a SSL certificate and the fees GoDaddy is charging for them?

Depends what you mean by "need" - it will work fine without.

You might find some systems and/or browsers start giving "insecure" warnings.

I'd be interested in any input from more web-savvy peeps on this.

I also run a small SMF forum on a non-HTTPS site - is this likely to be a problem ?

As long as you have control over the domain then will give you a certificate for free.
The certificate is only for 3 months but there are many software tools/methods to automate the request/update.
Your hosting provider may also have capability bultin to the managment console so it can be setup and forget.

I found another provider that gives free SSL service, GoDaddy is charging $99/year

The cPanel fee is also way less expensive.  I think GoDaddy prices have gone up a lot over the last 10 years.

Looks like I will be migrating and saving enough per year to buy a used Fluke DMM, money better spent.

Someone has already mentioned Let’s Encrypt. There is no reason to not have TLS nowadays, considering the only cost is setting up the certbot and including certificate deployment verification into normal website monitoring routines.

This is where this answer could end. But there is more to say. The way you asked the question indicates you are having a wrong perspective on TLS. In a manner many people get TLS very wrong: associating security with transmitting data they perceive as “secret”, where the choice of “secret” is often not even well-founded. You need to shift your perspective, because that way of understanding TLS is turning it into a security theater that doesn’t actually work.

First and foremost, before encryption is even considered: TLS offers authentication of your server to the client. A thing without which encryption couldn’t work. It protects your data from attacks. This way you are sure that whatever user sees, when using your website’s address, is what you sent them. They read your text. They see your images. They run your code. Whatever link they follow, it’s the link you offered to them and not something replaced by other actors (and later blamed on you). Attacks that replace contents of websites are becoming increasingly rare in recent years, but having a rogue access point in a venue or a hotel replacing content with advertisements or links to malware is not unheard of.

The reason it becomes rare is: TLS becomes the norm. This is the second point: normalization. The point of having TLS everywhere is not encrypting some “secret” information. The point is creating an environment, in which endpoints may talk to each other as if there was no intermediate actors, and making that the norm. The default. It can not work otherwise. I will stress that: it. can. not. Encrypting a login form or a page displaying personal information doesn’t matter, if links leading to those are on a page sent without TLS.(1) That is a common mistake in deploying encryption by people, who perceive encryption as requiring a special reason to be used. You may as well not bother at all: it doesn’t provide much protection against anything other than passive listening.(2) Even if a particular website doesn’t directly benefit encryption, whether it use one affects general security by both technical and sociological means.

Finally, it’s not only about security regarding some particular kind of data. There are things called freedom and privacy. While I do not require anyone to value those, consider respecting that others do and they want to limit exposure. By using TLS you ensure(3) that the communication is between your user and you, and potentially anyone you allowed to participate in that exchange. You may think that you do not process any customer’s data. But you do and it’s usually much more valuable in financial terms than their name and address.

(1) All that is needed to strip protection is changing the on the unprotected site. “Please check if there is a padlock” doesn’t work. Not only it ignores psychology — users will not do that or at some point forget to do that — but relies on some weird assumption that an attackers can’t use encryption for their own servers.
(2) Which ceased to be a threat considerably greater than data manipulation probably in late 2000s, with routers and advanced switches replacing repeaters in LANs. Right now deploying an attack that modifies data on the fly is not much harder than a passive logger.
(3) Limited by assumption of the CA not giving out fake certificates.


[0] Message Index

[#] Next page

There was an error while thanking
Go to full version