Wot, No SSL?


At the day job, a worrying number of clients (worrying to me at least) are asking us to deploy their websites "sans SSL".

I know that in some cases the client doesn't have access to any email addresses at their website's domain, so configuring SSL is very difficult. In other cases their site is a microsite with such a short lifespan that security isn't a high priority - easier instead to simply disable access to the CMS. And some clients are simply too stingy to cough up the small amount of money required for an SSL certificate.

It's left me wondering whether one of the reasons for the low uptake of SSL is that we're not explaining it well enough? In an attempt to rectify this situation I wrote a blog post on our company website - an excerpt of which is included below:

If a website doesn't use SSL it sends and receives information in plain text - including usernames, passwords, and even financial information (in the case of an ecommerce website). This information can be easily intercepted by those with malicious intent. This is a particular problem when you are connecting to a website using an untrusted network connection, such as public WiFi or an internet cafe. But bear in mind that your data travels along a huge number of servers, routers, and hubs on its journey between your computer and a website - sending this information without SSL encryption is like writing your details on the back of a post card and popping it in a post box.

(read the full article here: What is SSL, and does my website need it?)

Hopefully I've struck the correct balance between grave warning and factual information. It can be difficult, because clearly many websites don't use SSL and never get hacked. But it's like wearing a seatbelt - for 99.99% of your journeys you'll never need it, but when you do you'll be damn glad you're wearing one *.

There are so many ways a website can be hacked, cracked, broken and pillaged that it seems crazy to me that website owners would choose to ignore this simple yet hugely effective method of security. The main reason for building a website (among our clients at least) is to promote brand identity - surely protecting the brand is worth a few quid each year?

* Stretching the seatbelt analogy further - seatbelts don't always prevent injury and death. Likewise SSL isn't a silver bullet for website security. Certainly helps though.