To use or not to use SSL? Why use SSL always?

Question

The argument for using SSL is to prevent some malicious user who has gone through the pains of snooping your traffic being able to read your traffic. So while it may make se

Answer 1

General understanding has perhaps moved on over the past eight years. This site provides a good answer:

https://doesmysiteneedhttps.com/

Even when there is no 'sensitive' data transferred, SSL prevents page content injection.

Answer 2

The problem is that using, say, WPA2 only secures the connection between your computer and the router. There is a large piece of unsecured network between the router and the destination - that's the design of the internet. You don't know who is along the path and there could be any number of malicious (or just nosey) listeners out there. They may not even be in your jurisdiction so preventing eavesdropping may well be impossible.

SSL gives you an encrypted tunnel all the way to the other end.

If you're talking about a small company LAN where no traffic leaves the internal network then sure, don't bother with SSL if you don't want to. But if anything sensitive goes across the internet then you really want to use SSL to stop anyone seeing it. It's all about how important the information is.

One thing to be aware of is that many websites use cookies to remember login information. If those cookies go across the internet in the clear then it is fairly trivial to hijack the session - think FireSheep. Thus, you need to be very careful about what you consider to be "sensitive" information. Given that many business applications are moving to remote servers (I think the young'uns call it "the cloud") this is not a minor issue.

Long story short, use SSL if there is anything you don't want anyone else to see going across a network that is not entirely in your control.

Answer 3

SSL provides authentication and encryption.

It is somewhat difficult to MITM an unencrypted connection, but not so hard on the unencrypted wireless network you gave as an example. Any network that allows you to ARP spoof (many switched wired networks) allows you to MITM as well. But you're forgetting about every router along the way. Remember a few months back when a (hopefully) poorly configured router in China routed a significant, though small in relative terms, portion of Internet traffic? They could've seen your plaintext. So can other customers on a cable network, and so on.

But SSL also provides authentication. If I get the private key to a valid SSL cert from you, I'm damn confident that you are who you say you are - doubly so if it's a competent CA.

But the bigger concern is - you don't quite seem to understand SSL, so I'd advise you against making a decision one way or the other by yourself - at least until you read more. SSL does not require you to generate a new key every request, and in fact would not work if it did. Furthermore, any reasonably-recent computer can handle thousands of SSL requests simultaneously - the algorithms are very fast. Furthermore you can use encryption accelerators that offload the work to a dedicated piece of hardware.

If you think you might need to use SSL to secure some data, and often if you don't, there are almost no reasons to avoid it. Yes there is some expenditure involved but any data of consequence is worth the $300/yr.

EDIT I read your comment - this is a client app? The solution in your case is probably to use self-signed keys, and you can distribute the public key with the app. This allows you to encrypt and verify that you're talking to who you should be.

Answer 4

SSL should be used anywhere where you are communicating information that should not be public. It is a very dangerous assumption to believe that no-one is listening to traffic between your computer and the remote server.

All someone needs to do to snoop traffic is be on your network - they don't need admin access to your router. Without using SSL for sensitive communications, a single machine with a virus on a coworkers computer is all that is needed for stealing your identity.

The ISP also has access to all network traffic - how much do you trust their techies?

Dear User,

We've decided against encrypting our internet traffic because we just don't think it's important. We decided that it's really too hard to monitor internet traffic, so if anyone really is prepared to go to that effort, well they deserve all the data they can get their hands on. If you're using an old style of router, have corrupt IT staff and/or co-workers, or someone just doesn't like you and decides to steal your data, we accept no liability.

We advise against you telling anyone about our decision, as this will direct unwanted attention to our IP traffic.

Kindest Regards,

Good Enough Programming

Disclaimer: If you are a hacker and stumbled across this message while monitoring IP traffic, we politely point out that what you are doing is illegal, and request that you pretend you never saw it.

Answer 5

I don't think that every website needs SSL, if you do then use it, but there are cases where you want to be able to authenticate user without having to use SSL.

I've created (javascript->perl) single use random hash authentication for just this purpose.

http://www.furiousgryphon.com/jauthenticatedemo.html

https://github.com/thomasoeser/jAuthenticate

Answer 6

One of the things most people here are forgetting to address is what do you consider sensitive data? What one person considers boring useless data may be considered highly confidential by someone else, or vice versa. So what are you going to do? Use SSL on all the data to play it safe so that you don't get sued? Get real. Take a chat program for example. Most would agree that encrypting the username and password would be important, but what about the chat text itself? Most chat is mundane stuff and eliminating SSL will provide better performance. Personally, I would let the end user decide what is important and then provide SSL for only those types of information that they feel needs to be encrypted. That's what Google does with Gmail. You have the choice of using SSL or not.