Do I need SSL Cert for simple community site?

Question

I'm working on deploying a small community site. User registration requires nothing more than a username, email address, and password. I'm not even asking for a name, and certainly not storing any sensitive data.

Should I still invest in an SSL certificate? Would it be considered terrible practice to transmit a user's password without one?

This is just a personal project, so I'd like to avoid the extra cost if I could, but I can't help but feel I'd be irresponsible if I didn't secure everything properly.

Answer 1

I wouldn't bother with SSL for something like that.

Think about it... there are a million messageboards on the Internet and none of them use SSL.

Unless you are storing Credit Card numbers or other sensitive financial/personal information, I just don't think it's worth the cost.

Answer 2

As long as your users don't provide any credit card or other personal info, I wouldn't bother paying for a certificate either.

But if it was a social networking site, then I would consider getting one.

Answer 3

Possibly not helpful but some SSL providers are less expensive than others www.instantssl.com is comparatively inexpensive for example. Also some hosts allow you to use shared certificates, you could use these just for the log on process, although your domain won't be in the address bar at least the traffic will be encrypted,

Answer 4

SSL is probably overkill for this.

Encourage your users not to use passwords they use for storing their sensitive information, though! You might not store anything important, but if "kitty37' is also the key to their bank account, things can get bad..

This reminds me -- folks should check out the Perspectives project from CMU, which tries to address the problem of self-signed certificates being way too hard to use on the one hand, and "official" certificates getting potentially forged, on the other, by using a consensus monitoring service that keeps track of a large number of security certificates, and observes if they are changing, etc.

They have a Firefox extension, so it's dead easy to use (there is also an openSSH client). http://www.cs.cmu.edu/~perspectives/

Answer 5

I'd recommend getting an SSL certificate and requiring https any time users submit a password to your website. Though your users won't be transmitting any sensitive information, there's still one big reason for this: many people use the same username and password for every site they visit, and if someone's using a laptop in a coffee shop on open wireless, you should do everything in your power to keep them and their identity safe.

If cost is an issue, a good compromise is CACert. Their certificates aren't trusted by default in most browsers (yet), but anyone with a verifiable identity can get a certificate from them for free.

Answer 6

It would be a waste of your money to invest in a SSL certificate for a small community website. I believe that the time would be better spent in ensuring that the user registration and login pages are easy to access and understand, allowing the user ample time and space to see whether they'll stay logged in. If you always set parameters like this to no then this example would not be an issue.

If we were dealing with a large website then perhaps it would be a good idea to get one. Have you considered using OpenID as a means for users logging in? It seems to work reasonably well for this website, so why not implement it on your own?

Answer 7

So long as you don't mind one person being able to impersonate another, or sniff data en-route, then you don't need SSL.

You can try to create a site as secure as possible without SSL. However, this is very dangerous if you don't know EXACTLY what the ramifications are, and what will be exposed, and how to protect it without SSL. In some cases, real protection may not even be possible.

Also, remember people often use one password for multiple accounts. This means many of the passwords in your database will be the same as the users bank, email, network, etc.

If you let people store a password with you, you must take responsibility for protecting it, even if the security of your own site isn't critical.

I would recommend spending the $20 for a godaddy cert, just to be sure. Also, be sure you read up on session security and secure authentication methods.

Answer 8

The SSl part is probably overkill, and worse it becomes a real temptation to "cargo cult security" --- where you do something that sounds like security but doesn't really add to anything.

You'd be better off thinking about how to make sure you're building a hardened site, and maintaining your security patches up to date.

Oh, and one thing: warm users they aren't using secure passwords, so they don't use their favorite "joe" password they use on all their banking sites.

Answer 9

If you're just looking to identify a user, why not allow OpenID like stackoverflow does? ;) http://openid.net/

Answer 10

Thanks for your replies. I think I was convinced that spending a little money to protect people's passwords is worth it.

I did think about using OpenID. Probably won't be part of the initial release, but I may add support for it later. I would question how well my audience would understand the concept of OpenID. I think it works well for SO because of the nature of the audience. I have a hard time asking the general population to summon the enthusiasm to get an OpenID just to use what will probably be a very modest site.