Security and SSL

[rupertvz]

Hi Guys,

If I don't use SSL for my site, how safe is the data integrity on my site?
We don't accept any credit cards and don't handle highly confidential information.

I realize that this question is relative.

However, some information re hacking possibilities may help us decide whether we should consider implementing SSL.

[Flint G]

Rupert,

SSL has less to do with how hackable your site is and more to do with how easily someone else on the network/web can look at the data going back and forth.  The two are *almost* exclusive of each other.

If you're not concerned with the actual data being compromised either by sniffing or alteration, then there is no reason to add the complexity and overhead of SSL.  If you're concerned with how easy it would be for someone to hack your web server and cause problems, you should look closer at how you handle user input, especially when you're databases are in SQL.

You can look online to find books (lots of books) about hacking and how to test your app for common vulnerabilities if you really want to get serious about it.  You'll also be able to learn why I said "almost exclusive," above.  A good book will probably cost you between $50-$80.

Just my two bits.

Regards,
Flint

[rupertvz]

Thanks so much Flint, this is the type of information I was looking for.
I am using mostly TPS data files at this time, so I guess, using TPS even more so lower the risk of hacking our database / web.

[kevin plummer]

If your site requires someone to login with a username and password then it should be running as a SSL. It's relatively easy otherwise for someone to obtain these details and then log in as that user and do whatever that user can do - delete, add, change records etc

[Bruce]

As Kevin says, if your app has a login then the right question to be asking is "why not SSL?".

There are cases where SSL would be overkill (forum sites like this one for example) but if the data is important in anyway SSL should be the connection of choice.

cheers
Bruce