Jump to content

SSL, is it really necessary?

itch

By itch
in General Discussion

 Share

Recommended Posts

redrat Senior Member

redrat

Posted
Posted

Well, I am building a site using Joomla 1.5.14 (Shape5 New Architect theme) with WHMCS 4.0.2 (Customised Portal template) already integrated. Most images are already set to https:// whereas others, including some in both Joomla and WHMCS, will not even appear if https is used to call them. And this is the most confusing part for me. I am also using one of Sparky's mods, Client Area Home which cannot be seen unless logged in.

 

I'll PM you my URL. ;)

0
Link to comment
Share on other sites
  • Replies 57
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

nerbonne Member

nerbonne

Posted
Posted (edited)

I agree, the threat of a stolen database is the REAL threat. You get a trojan on your server that allows them to download your database, you're done. The SSL cert doesn't do anything except make ignorant people think that they are safe.

 

It's like hiring an armored car to transport your gold bars from the airport to your house, but once at the house, you lock the front door with only the door knob, which anyone knows provides very little security.

 

Adding to another point made by brianoz, we used to run our company site on a shared server running in Apache mode vice CGI. Eventually we switched to CGI mode and moved all the client sites off of the server, but years later I just now found trojans buried in our site that were years old.

 

SSL means nothing. Insecure servers will destroy you, and an SSL certificate will do nothing to help.

 

Believe what you will, as like brianoz pointed out, until it happens to you, you won't listen.

 

Paypal uses SSL, but is that going to save them if someone manages to get a trojan onto their server?

Edited by nerbonne
Added more rant...
0
Link to comment
Share on other sites
DedicatedPros Senior Member

DedicatedPros

Posted
Posted (edited)
I agree, the threat of a stolen database is the REAL threat. You get a trojan on your server that allows them to download your database, you're done. The SSL cert doesn't do anything except make ignorant people think that they are safe.

 

It's like hiring an armored car to transport your gold bars from the airport to your house, but once at the house, you lock the front door with only the door knob, which anyone knows provides very little security.

 

Adding to another point made by brianoz, we used to run our company site on a shared server running in Apache mode vice CGI. Eventually we switched to CGI mode and moved all the client sites off of the server, but years later I just now found trojans buried in our site that were years old.

 

SSL means nothing. Insecure servers will destroy you, and an SSL certificate will do nothing to help.

 

Believe what you will, as like brianoz pointed out, until it happens to you, you won't listen.

 

Paypal uses SSL, but is that going to save them if someone manages to get a trojan onto their server?

 

You're talking about security here and you're saying that you only need to secure the server, and nothing else? I mean read your posts, even the scenario you proposed, and tell me that the route of the sensitive data does not need to be secured...

 

If you want the gold bricks secure you will need an armored car (your SSL certificate) but you'll also need a fort surrounded by soldiers (data encrypted on you server using encryption such as MD5 with random salts).

 

If you're going to let someone get that trojan horse on the server than yea, obviously the certificate can't do you any good but you're talking about apples and bombs here, one has nothing to do with the other as an SSL certificate is not a <<snipped>> anti-virus program.

Edited by bear
language
0
Link to comment
Share on other sites
Dominic Senior Member

Dominic

Posted
Posted

Really the only way to intercept the data path is to hack into a switch and activate the monitoring port (which in many cases these days is forced to be a physical port, so is really hard as someone has to change a physical wire in the data centre), or to hack into a router. Not impossible, but very, very hard and getting even harder.

Come back when you've done a security course.

 

Probably one of the first things my university taught in networking class....

 

 

And apart from that, have you heard of wifi sniffing - very popular these days.

 

There's /no/ excuse or reason not to use SSL. Obviously it isn't all there is to security (we can dream!).

0
Link to comment
Share on other sites
meechp123 Member

meechp123

Posted
Posted
Depends whether you want potential customers to go elsewhere or not.

 

So, if they stay on WHMCS during the checkout process, I dont have to worry about SSL?

 

I see on your site (https://www.fast2host.com/client/cart.php?gid=7), the order form stays on your website and you're using SSL ; are you pointing to WHMCS or is it installed on your server?

 

Sorry, I'm just trying to wrap my head around the process. I would prefer to set my site up like yours (SSL and WHMCS is integrated into my website).

0
Link to comment
Share on other sites
Exoware Member

Exoware

Posted
Posted

I'd like to point out that although there is little chance of data being intercepted during transit generally over the Internet, there is a significantly higher chance of it being intercepted over a shared (public) network where a lot of standard sub-par networks are susceptable to ARP poisoning which can redirect all network traffic through a network device pretending to be the network gateway.

 

Whilst SSL is seriously overhyped, you are tempting fate if you don't use one for transactional purposes.

0
Link to comment
Share on other sites
freedombi Senior Member

freedombi

Posted
Posted

I'm surprised no one here has mentioned wireless, which is like being on a hub, only more open. It's trivial to watch someone else's traffic if there's no encryption at the access point, and still fairly easy if it's weak encryption. And wireless is rather common.

0
Link to comment
Share on other sites
  • 4 weeks later...
brianoz Senior Member

brianoz

Posted
Posted
I'm surprised no one here has mentioned wireless, which is like being on a hub, only more open. It's trivial to watch someone else's traffic if there's no encryption at the access point, and still fairly easy if it's weak encryption. And wireless is rather common.

... yes, a great point I was about to make - public WiFi - or even nominally provate WiFi with no/WEP encryption - is a compelling reason for SSL ...

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
I'd like to point out that although there is little chance of data being intercepted during transit generally over the Internet

Very false. Packet sniffers, unscrupulous ISP employees and more monitor "pinch points" for unsecured data that might contain things to steal. Normal traffic isn't likely to be a target, but hosts, DCs and other likely points for CC details and things of that nature are often targeted and monitored. I'd also mention FTP details, that are often sent in plain text unless using SFTP. Spammers and phishers and so on love to gain FTP details. ;)

 

I'm surprised no one here has mentioned wireless, which is like being on a hub, only more open.

Same as with Cable internet. Technically, you're on a huge LAN, and anyone downstream of your AP can monitor packets if they know what they're doing

Heh, its technically about SSL, which for all I care, could mean encryption your porn stash using SSL.

As an FYI, SSL doesn't encrypt files, it encrypts connections between computers/servers. ;)

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept