Aug 16, 2011

How secure is SSL? Is it worth the cost and the hassle?

Our CEO wants us to add HTTPS:// to every public-facing webpage. To do so, we'll need to install SSL certificates on our site. I think it's not a bad idea, but how secure are SSL certificates? Is it worth the hassle or cost in time and money to set this up?


Setting up security certificates is certainly not very painstaking in Server 2008/R2. The only issue I have a concern with is the certificate authorities themselves do not have any way to verify that banks and online ordering systems are handling SSL in a proper manner. Web browsers do not necessarily require SSL on many sites, and it's relatively easy for DNS hackers to fake a Visa website to steal customer information.


The value of SSL can be judged by how important your customers think it is for orders to be secure (very) and if not having it leads to fewer sales and less customer data capture. Since your boss requires it, I'd go ahead and do it, but be warned -- SSL is easily hacked and in December 2008 and March 2011, two top-tier SSL certificate providers were hacked (VeriSign & Comodo). If the SSL certificate authorities cannot keep their own sites secure, it's difficult to believe that SSL is a secure technology that people should bother using.

Answer this