24

I see a lot of posts all over the web asking whether or not they should be using SSL to secure their website, or if it's really necessary to do so when the content of their site does not contain or request sensitive data.

Let's make the assumption here that the cost of the certificate is not the issue, considering it's not extremely expensive to get an SSL certificate. Why would you even want to host a page that isn't secured with SSL? Most all web servers support SSL out of the box, and it's usually quite simple to get it setup (especially with IIS.)

Robert Petz
  • 351
  • 1
  • 2
  • 6
  • I would dispute your statement about certificates not being expensive. Certificates can get quite expansive, e.g. when you care about the CA and/or EV. Yes, there are services, which are relatively cheap or even offer them for free, but this might not be everybody's taste. – Karol Babioch Mar 25 '14 at 00:46
  • @KarolBabioch I do agree that 'expensive' is relative, but as GoDaddy (a reputable CA) is around $70 to $270 - even at the high end I wouldn't consider that 'expensive' – Robert Petz Mar 25 '14 at 03:23

5 Answers5

39

There are a number of reasons not to use SSL, none of which being a good reason in itself, but cumulatively they can explain a lot of things.

The main reason not to use SSL is an effect of the strongest force in the Universe, i.e. laziness. However easy setting up SSL is, not setting it up will still be easier. This alone explains why so many sites still use HTTP only, not HTTPS. A great many sites can get away with it, and not being attacked, because there just are not enough attackers around to attack every site, by a long shot (and attackers are no less lazy than everybody else).

Among other reasons, one can cite the following:

  • Hosting several HTTPS Web sites with distinct names on the same IP address has long been difficult, especially when the various sites don't know each other (either the server uses a certificate with all the names, but this can result in apparent and unfortunate associations, or the server relies on SNI, which does not work with Internet Explorer on WinXP).

  • SSL prevents some types of caching, in particular the transparent proxying that some ISP are quite fond of. This implies extra bandwidth requirements for the server (hard data on the increase is difficult to come by, and depends on the site type; for instance, a Web-mail interface like Gmail would be unlikely to benefit from heavy caching anyway, contrary to a picture-heavy site).

  • In (much) older days, HTTPS Web sites were not indexed as thoroughly as non-SSL sites, resulting in a widespread idea that you get better indexing by shunning SSL (that one has been wrong for quite some time now, but old ideas are hard to eradicate).

  • Some people still have the feeling that SSL implies a heavy computational cost (that one isn't correct either, but still common).

  • As an ironic twist, some people fear that using SSL would project the impression that they do care about security, thus increasing the reputation backlash if (when) they get hacked. The idea being that if you never claim or let it believe that you ever gave any attention to the concept of security, then maybe people will be more indulgent when they discover how much indeed you disregard it.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I totally agree with you that laziness is definitely a reason that people tend to veer away from SSL, but it's still not a reason not to use it. As for your first point, wildcard certs can alleviate this issue, but if you aren't using subdomains I can definitely see the cost of the cert going up with multiple sites. That being said, hosting multiple sites with different hostnames on the same server is not difficult at all on IIS (I haven't done this on apache or tomcat personally, so I can't speak as to the ease on those platforms)...Caching is an interesting point though! – Robert Petz Mar 24 '14 at 23:11
  • btw, I'm not trying to prove your points wrong - they are accurate - just a discussion =) – Robert Petz Mar 24 '14 at 23:13
  • +1 for laziness on the part of both admins and attackers. – Navin Mar 25 '14 at 00:43
  • 1
    Regarding computational cost: However cheap SSL gets, not-SSL is always cheaper. Much like the laziness argument. – user253751 Mar 25 '14 at 09:26
  • @immibis: note, though, that people are a lot less lazy when the work is to be done by somebody else. Laziness is about avoiding _configuration_ costs, i.e. actions by human administrators; SSL cost is about work done _by the machine_ and the machine does not get to refuse to do work when instructed to. – Thomas Pornin Mar 25 '14 at 15:42
9

In addition to what Thomas said, straightforward practical reasons:

  • for smaller services, cheap hosting which doesn't give you direct access to configure your server with certs (or indeed provide the unique IP address you'd need to do SSL up until the day we can really rely on SNI)

  • you need to include third-party content (iframes, scripts etc) which isn't itself available through HTTPS, without triggering ugly browser warnings.

bobince
  • 12,534
  • 1
  • 27
  • 42
  • third-party hosted content is definitely a hard spot for SSL - good point – Robert Petz Mar 24 '14 at 23:12
  • Nick Craver's [blog post](http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/) about transitioning to SSL on Stack Exchange gives an idea of how difficult that second point is. Thomas' first point is also addressed there. – Jonathan Garber Mar 25 '14 at 13:53
3

Why should one not use SSL?

I do not believe that is a correct question.

When and under what conditions would you get away without using SSL would be a better one.

  • when you got a static page with no privileged access requiring pages or no web authentication types.

Other than that, It would be good to have SSL on board.

Hosting multiple SSL certificates on a single IP address with SNI is not difficult, a bit costly though.

thephoenix
  • 41
  • 3
2

If you monetize your website using google adsense, you may earn less money on https pages.

Google removes

non-SSL compliant ads from the auction, thereby reducing auction pressure, so ads on your HTTPS pages might earn less than those on your HTTP pages.

https://support.google.com/adsense/answer/10528?hl=en

TryHarder
  • 121
  • 3
1

Arguments against SSL would typically address performance or configuration concerns or issues integrating with third party services that may result in warnings which scare away users. It may be appropriate for some websites which are brochure-like and where the user does not submit any information.

On the flip side, even if you have a static brochure website, using TLS and real certificates helps communicate to your visitors your content is legit and has integrity. Imagine a purely brochure-like political website, if the attacker can do some type of MitM attack and change the content it doesn't hurt the visitor, but sure does hurt you.

In general, unless there is some odd configuration or performance requirements it's always nice to implement SSL/TLS. The risk (attack or reputational) may not be enough to justify it. Also, it may be difficult on some shared hosting environments.

Eric G
  • 9,701
  • 4
  • 31
  • 59
  • (note: I totally get that you are playing devils advocate and in reality you agree that SSL is a good thing)...MITM attacks are definitely a concern but one that should probably be approached from the 'we need to prevent this' aspect rather than the 'we need to not use a form a security that has this exploit' aspect – Robert Petz Mar 24 '14 at 23:07