Jump to content

SSL, is it really necessary?

itch

By itch
in General Discussion

 Share

Recommended Posts

  • Replies 57
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

redrat Senior Member

redrat

Posted
Posted

My attitude is harsh where this is concerned. If you want me to enter even the colour of my socks I want a secured transaction or I walk. Simple as that. People who don't care enough about their site's users to spend a measly $10.95 for a whole year's security don't deserve to know what colour my socks are, let alone any important details. Accepting even an email address without basic encryption is an appalling practice. If you care, do it. If you don't, bye bye. ;)

0
Link to comment
Share on other sites
Keiro Senior Member

Keiro

Posted
Posted
My attitude is harsh where this is concerned. If you want me to enter even the colour of my socks I want a secured transaction or I walk. Simple as that. People who don't care enough about their site's users to spend a measly $10.95 for a whole year's security don't deserve to know what colour my socks are, let alone any important details. Accepting even an email address without basic encryption is an appalling practice. If you care, do it. If you don't, bye bye. ;)

 

I have reseller account at eNom. Looks like they lowered the price to 9.95.

 

I'm going with this as soon as my fundage allows it.

 

... Then eventually the EV version for SSL. ;x

0
Link to comment
Share on other sites
DedicatedPros Senior Member

DedicatedPros

Posted
Posted
Why that one?

 

Why that certificate?

 

Because I have plans to expand my business to its very limits by the end of this year, and appearing trustworthy (and of course being trustworthy :twisted: ) to my clients is a very, very important thing many people take for granted. Personally, I don't trust that blue icon showing me the connection to a site is encrypted, so what that some guy spent a few bucks on a cheap ssl cert; you gotta go green to build trust.

 

Now there are a lot of companies that give out ev certificates, but it is true what they say, Verisign is the most commonly recognized mark by e-shoppers and I'd love to have their seal on my site with a green address bar :-P

0
Link to comment
Share on other sites
brianoz Senior Member

brianoz

Posted
Posted
My attitude is harsh where this is concerned. ... I want a secured transaction or I walk. Simple as that. ... Accepting even an email address without basic encryption is an appalling practice.

 

I think this is such a classic quote as it so beautifully illustrates a very common but complete misconception of what security is.

 

An SSL certificate itself provides ABSOLUTELY NO SECURITY ADVANTAGE. What a security cert provides is an encrypted tunnel between the website and the user's browser. That path, with the advent of modern circuit-switched networks, is already almost impossible to listen in on, unless you're the FBI or the NSA. There is only small benefit in encrypting the network path, as that's not where the information is stolen. Back in the past, when SSL was invented, most networks ran over ethernet and used broadcast technology which could be eavesdropped easily - this is no longer the case.

 

These days, in real life, the information is actually stolen at one of the two endpoints - from the user's browser (using a trojan, keylogger, or something similar) or from the server (by stealing the database, or putting a trojan into the website code). SSL encryption does not protect you against either of these real risks, which realistically are 99.9% of the danger.

 

Having said that, you're crazy if you try to run an eCommerce site without a certificate, as the whole world thinks you need one to be secure! And of course, there is just a little security benefit in having one. But frankly, if you think that an SSL certificate makes a site secure, you have a lot to learn. It's only the start. And I guess the real value to you as a site operator/owner is that it's what the user thinks means the site is secure!

0
Link to comment
Share on other sites
DedicatedPros Senior Member

DedicatedPros

Posted
Posted
I think this is such a classic quote as it so beautifully illustrates a very common but complete misconception of what security is.

 

An SSL certificate itself provides ABSOLUTELY NO SECURITY ADVANTAGE. What a security cert provides is an encrypted tunnel between the website and the user's browser. That path, with the advent of modern circuit-switched networks, is already almost impossible to listen in on, unless you're the FBI or the NSA. There is only small benefit in encrypting the network path, as that's not where the information is stolen. Back in the past, when SSL was invented, most networks ran over ethernet and used broadcast technology which could be eavesdropped easily - this is no longer the case.

 

These days, in real life, the information is actually stolen at one of the two endpoints - from the user's browser (using a trojan, keylogger, or something similar) or from the server (by stealing the database, or putting a trojan into the website code). SSL encryption does not protect you against either of these real risks, which realistically are 99.9% of the danger.

 

Having said that, you're crazy if you try to run an eCommerce site without a certificate, as the whole world thinks you need one to be secure! And of course, there is just a little security benefit in having one. But frankly, if you think that an SSL certificate makes a site secure, you have a lot to learn. It's only the start. And I guess the real value to you as a site operator/owner is that it's what the user thinks means the site is secure!

 

Oh really, then tell me why every bank, every bigger website that accepts logins, every government agency uses SSL certificates if you claim they can only prevent intelligence agencies from eavesdropping on us?

 

The fact that you state only the CIA/NSA could do this is very childish and proves just what you know about the subject, yes the NSA does have teams of great hackers with the world's best supercomputers but all it takes is one good hacker to listen on that unsecured connection, not a whole govt agency.

0
Link to comment
Share on other sites
itch Member

itch

Posted
  • Author
Posted (edited)

Bottom line... get one to please your customers.

 

My problem now though, is the damn speed difference. If I dont enable SSL on ALL my pages, clients won't really go "oooooh" and "aaaaah". So, now that I have, my site is considerably slower. Which means, either ditch SSL on static pages (which is the sensible thing to do), or make the site faster by removing some graphics and and and. What to do... what to do...

Edited by itch
0
Link to comment
Share on other sites
DedicatedPros Senior Member

DedicatedPros

Posted
Posted
Is it significantly faster? And is it still "secure"?

 

Yes, it is faster as the encryption isn't as strong so the browser to server encryption does not take as long.

 

Technically its not as secure as 256bit encryption, but both are relatively unbreakable. Google uses RC4 128bit encryption if it makes you feel better, and I think those guys know what they're doing 8)

 

And even PayPal doesn't use 256bit encryption, FF lists it at 168bits :twisted:

0
Link to comment
Share on other sites
itch Member

itch

Posted
  • Author
Posted
Yes, it is faster as the encryption isn't as strong so the browser to server encryption does not take as long.

 

Technically its not as secure as 256bit encryption, but both are relatively unbreakable. Google uses RC4 128bit encryption if it makes you feel better, and I think those guys know what they're doing 8)

 

And even PayPal doesn't use 256bit encryption, FF lists it at 168bits :twisted:

 

Any idea how much faster?! :)

0
Link to comment
Share on other sites
brianoz Senior Member

brianoz

Posted
Posted
Oh really, then tell me why every bank, every bigger website that accepts logins, every government agency uses SSL certificates if you claim they can only prevent intelligence agencies from eavesdropping on us?

 

For two reasons, as stated in my post:

1) it looks to customers like it provides security;

2) it does add a little, mostly unnneeded, security to the transmission path.

 

Remember, most exploits take place at the PC level or at the server level. If you don't already know that, do some security reading and you'll find I'm right.

 

The fact that you state only the CIA/NSA could do this is very childish and proves just what you know about the subject, yes the NSA does have teams of great hackers with the world's best supercomputers but all it takes is one good hacker to listen on that unsecured connection, not a whole govt agency.

 

"Do this"? I'm assuming you mean, intercept the data path? Yes, in most cases it's really only going to be the authorities, perhaps in some rare cases organized crime and very occasionally, a hacker or two.

 

Really the only way to intercept the data path is to hack into a switch and activate the monitoring port (which in many cases these days is forced to be a physical port, so is really hard as someone has to change a physical wire in the data centre), or to hack into a router. Not impossible, but very, very hard and getting even harder.

 

OK, I confess to overstating my point a little (in all caps!) but the point is that most people miss that an SSL padlock is just a bandaid and actually means nothing about real security. If you're falling for that yourself then all I can say is that time and further experience will change your mindAs just one example, the number of credit card merchant sites running on shared servers as dso where the apache user has access to every file on the server and thus indirectly every database is frighteningly huge.

 

I'm not saying don't use SSL. I'm simply saying don't fall into the trap of thinking it actually "secures" your website. Please forgive any offence; none is intended.

0
Link to comment
Share on other sites
DedicatedPros Senior Member

DedicatedPros

Posted
Posted
For two reasons, as stated in my post:

1) it looks to customers like it provides security;

2) it does add a little, mostly unnneeded, security to the transmission path.

 

Remember, most exploits take place at the PC level or at the server level. If you don't already know that, do some security reading and you'll find I'm right.

 

 

 

"Do this"? I'm assuming you mean, intercept the data path? Yes, in most cases it's really only going to be the authorities, perhaps in some rare cases organized crime and very occasionally, a hacker or two.

 

Really the only way to intercept the data path is to hack into a switch and activate the monitoring port (which in many cases these days is forced to be a physical port, so is really hard as someone has to change a physical wire in the data centre), or to hack into a router. Not impossible, but very, very hard and getting even harder.

 

OK, I confess to overstating my point a little (in all caps!) but the point is that most people miss that an SSL padlock is just a bandaid and actually means nothing about real security. If you're falling for that yourself then all I can say is that time and further experience will change your mindAs just one example, the number of credit card merchant sites running on shared servers as dso where the apache user has access to every file on the server and thus indirectly every database is frighteningly huge.

 

I'm not saying don't use SSL. I'm simply saying don't fall into the trap of thinking it actually "secures" your website. Please forgive any offence; none is intended.

 

I'm not going to argue with you for nothing, but if there was no need to use SSL certs as you say there isn't, people wouldn't use them. Passing sensitive information to a server over an unencrypted connection is mental.

 

Good day to you 8)

0
Link to comment
Share on other sites
redrat Senior Member

redrat

Posted
Posted

I have one question for you heads out there to possibly shed some light on for me as I don't quite understand it myself yet.

 

I have an SSL installed but also have unsecured elements so get that well known warning usually associated with the problem. I am having the devil's own job resolving this matter which is another issue entirely. My question is simply, is the encryption still working despite the unsecured items issue?

0
Link to comment
Share on other sites
DedicatedPros Senior Member

DedicatedPros

Posted
Posted
I have one question for you heads out there to possibly shed some light on for me as I don't quite understand it myself yet.

 

I have an SSL installed but also have unsecured elements so get that well known warning usually associated with the problem. I am having the devil's own job resolving this matter which is another issue entirely. My question is simply, is the encryption still working despite the unsecured items issue?

 

I believe not, its either all encrypted or its not encrypted, but I could be wrong.

 

Give us the URL and we'll help fix the issue :twisted:

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept