

Ask HN: Does my webapp really need a SSL certificate? - gilaniali

My webapp requires payment which is handled through Paypal. The user clicks on a button on my website, gets redirected to Paypal and makes the payment there.<p>Paypal then notifies my webapp and redirects the user. In this scenario, do I really need to get an SSL certificate from vendors such as godaddy or verisign?
======
ithkuil
A certificate is needed basically for two reasons:

1\. the user has to verify that the site is actually run by you and not by
somebody spoofing your site. Somebody could make the user believe he's
clicking on your's sites "pay" button, and instead he's sent to a fake paypal
site, or a real paypal site with a similar account.

2\. once the browser knows that you are you, it can securely encrypt che
connection. This is useful if your webapp also requires password login etc.

Note that encryption is also possible without a trusted certificate (i.e.
verified by the 'certificate authority' mafia^H^H^H^H), but at this point,
albeit almost impossible to decypher once established, it remains vulnerable
to the 'man-in-the-middle' attack, intercepting the key exchange with your
site, or simply a spoofing as described in point (1).

EDIT: when I said "the browser knows that you are you", by "you" I mean "you"
the server, the webapp

~~~
gilaniali
So then will a self-signed certificate work or do I have to use one from a
vendor such as godaddy?

~~~
ithkuil
self-signed certificate will just make your user furious, because recent
browsers display very annoying alerts (especially firefox).

self-signed certificate will allow you to encrypt, but it's not secure.

Unfortunately you are bound to get a certificate from "vendors" that ship
bundled with the major browsers (if godaddy sells you a certificate then it's
ok).

Anyway, just a link for an utopic world <http://www.cacert.org/>. I don't know
if something like cacert would work in the real world, but certificates are
about trust, not about money.

------
singer
gilaniali, to answer your question, you do not need an SSL certificate to
protect your PayPal checkout process. The security is all handled on their
end. Sure, you could get an SSL certificate, but it seems like a waste of
money to me.

