Hacker News new | ask | show | jobs
Ask HN: Does my webapp really need a SSL certificate?
3 points by gilaniali 5715 days ago
My webapp requires payment which is handled through Paypal. The user clicks on a button on my website, gets redirected to Paypal and makes the payment there.

Paypal then notifies my webapp and redirects the user. In this scenario, do I really need to get an SSL certificate from vendors such as godaddy or verisign?
2 comments
ithkuil 5715 days ago
A certificate is needed basically for two reasons:

1. the user has to verify that the site is actually run by you and not by somebody spoofing your site. Somebody could make the user believe he's clicking on your's sites "pay" button, and instead he's sent to a fake paypal site, or a real paypal site with a similar account.

2. once the browser knows that you are you, it can securely encrypt che connection. This is useful if your webapp also requires password login etc.

Note that encryption is also possible without a trusted certificate (i.e. verified by the 'certificate authority' mafia^H^H^H^H), but at this point, albeit almost impossible to decypher once established, it remains vulnerable to the 'man-in-the-middle' attack, intercepting the key exchange with your site, or simply a spoofing as described in point (1).

EDIT: when I said "the browser knows that you are you", by "you" I mean "you" the server, the webapp

link
gilaniali 5715 days ago
So then will a self-signed certificate work or do I have to use one from a vendor such as godaddy?
link
ithkuil 5715 days ago
self-signed certificate will just make your user furious, because recent browsers display very annoying alerts (especially firefox).

self-signed certificate will allow you to encrypt, but it's not secure.

Unfortunately you are bound to get a certificate from "vendors" that ship bundled with the major browsers (if godaddy sells you a certificate then it's ok).

Anyway, just a link for an utopic world http://www.cacert.org/. I don't know if something like cacert would work in the real world, but certificates are about trust, not about money.

link
singer 5715 days ago
gilaniali, to answer your question, you do not need an SSL certificate to protect your PayPal checkout process. The security is all handled on their end. Sure, you could get an SSL certificate, but it seems like a waste of money to me.
link