Ask HN: Does my webapp really need a SSL certificate?

3 pointsgilaniali15y ago4 comments

My webapp requires payment which is handled through Paypal. The user clicks on a button on my website, gets redirected to Paypal and makes the payment there.

Paypal then notifies my webapp and redirects the user. In this scenario, do I really need to get an SSL certificate from vendors such as godaddy or verisign?

4 comments

ithkuil15y ago

A certificate is needed basically for two reasons:

1. the user has to verify that the site is actually run by you and not by somebody spoofing your site. Somebody could make the user believe he's clicking on your's sites "pay" button, and instead he's sent to a fake paypal site, or a real paypal site with a similar account.

2. once the browser knows that you are you, it can securely encrypt che connection. This is useful if your webapp also requires password login etc.

Note that encryption is also possible without a trusted certificate (i.e. verified by the 'certificate authority' mafia^H^H^H^H), but at this point, albeit almost impossible to decypher once established, it remains vulnerable to the 'man-in-the-middle' attack, intercepting the key exchange with your site, or simply a spoofing as described in point (1).

EDIT: when I said "the browser knows that you are you", by "you" I mean "you" the server, the webapp

gilanialiOP15y ago

So then will a self-signed certificate work or do I have to use one from a vendor such as godaddy?

ithkuil15y ago

self-signed certificate will just make your user furious, because recent browsers display very annoying alerts (especially firefox).

self-signed certificate will allow you to encrypt, but it's not secure.

Unfortunately you are bound to get a certificate from "vendors" that ship bundled with the major browsers (if godaddy sells you a certificate then it's ok).

Anyway, just a link for an utopic world http://www.cacert.org/. I don't know if something like cacert would work in the real world, but certificates are about trust, not about money.

singer15y ago

gilaniali, to answer your question, you do not need an SSL certificate to protect your PayPal checkout process. The security is all handled on their end. Sure, you could get an SSL certificate, but it seems like a waste of money to me.

j / k navigate · click thread line to collapse

4 comments

ithkuil15y ago

A certificate is needed basically for two reasons:

2. once the browser knows that you are you, it can securely encrypt che connection. This is useful if your webapp also requires password login etc.

EDIT: when I said "the browser knows that you are you", by "you" I mean "you" the server, the webapp

gilanialiOP15y ago

So then will a self-signed certificate work or do I have to use one from a vendor such as godaddy?

ithkuil15y ago

self-signed certificate will just make your user furious, because recent browsers display very annoying alerts (especially firefox).

self-signed certificate will allow you to encrypt, but it's not secure.

Unfortunately you are bound to get a certificate from "vendors" that ship bundled with the major browsers (if godaddy sells you a certificate then it's ok).

Anyway, just a link for an utopic world http://www.cacert.org/. I don't know if something like cacert would work in the real world, but certificates are about trust, not about money.

singer15y ago

j / k navigate · click thread line to collapse