Ask HN: what sites should use ssl?
I'm was thinking that I would need to get an SSL certificate, but I've just noticed that Facebook doesn't encrypt data over https, so I'm wondering if I need to bother.
I'm transfering info like e-mail address for the users login, and all that is encrypted in my db, so should I also be encrypting it over the wire?
-------additional-------------
So the first to responses were basically 'yes, do it', but 1) why wouldn't a major company like facebook do it, and the start.yourdomain.com from google doesn't do it either, and that has all your email and stuff in it?
2)if I do decide to do it, is there a specific source I should get my certificate from? is there another way to encrypt? as I'm bootstrapping along, should I really be paying a few hundred dollars for this?
9 comments
[ 5.0 ms ] story [ 33.4 ms ] threadYou don't need to pay a few hundred dollars for an SSL certificate, unless you need a wildcard. Go with a cheap reputable Certificate Authority and start this out right.
Facebook does support ssl (https://facebook.com) but the problem is that they don't forwards regular http login to it.
Unless you need a wildcard domain, which you shouldn't, until you have to scale, it shouldn't cost you more than like $20 US for the cert.
You log on to your site via an open wireless network at your local coffee shop. Anything that you aren't SSL encrypting is being sniffed and read by the shady looking dude with the laptop and latte over in the corner. What don't you want him to see? SSL encrypt that.
For my sites, this generally means any page where a password is entered. You might want to take it a step further and protect private profile pages or anything like that, but at a minimum, authentication should be encrypted over the wire.
You might say "Well yeah, but I run a site where people post pictures of their morning poo, who cares if they get hacked?" - that's fine, but people have a horrible tendancy to use the same email and password all over the place. When Joe logs in to PostMyPoo with joe@gmail.com/hunter2, chances are Shady Latte Guy is going to pop over to gmail, punch in those credentials, and the vast majority of the time, he's in to Joe's account. He can now go through Joe's email to see what else Joe is signed up for, try his existing credentials, or issue password reset requests to get into anything else he wants. Suddenly, Joe has a data/identity security nightmare on his hands, and you bear some measure of responsibility for that.
By itself, a leak of information may appear trivial, but piece together a few bits of info and mix in some social engineering, and you could have enough to do naughty things! Yes, users should use different passwords, but you should be the one who does the right thing and takes the responsibility for them, to prevent that exponential spread of consequences. It's more than just "This cert cost me x", it's "If I spend x, I save y people from losing z of time and money." where x<y<z.
StartSSL offer well priced certificates - from free, up to ~USD150, and they are well reviewed here: http://www.sslshopper.com/startcom-certificate-authority-rev...