Should you enable SSL on your website? Yes, you should. Look at that! I just saved you the time of reading the full post. Years ago, there would have been a checklist of reasons for or against enabling SSL. Now there's no need for that list. The answer is yes and you don't even need to skip to after the fold if you don't want to. Every website should be accessible with that little 's' in https, have a green padlock and bask in the glory of some additional security. Better yet, https should be the only way to access your site.
If you do read on though, you'll get a good explanation on what SSL is for, why you should enable it and why things have changed since that non-existent post I could have made long ago.
The reasons for having the green padlock on your site is often confused. After responding in our forums to a JFBConnect user about what SSL is actually for, we realized that many people don't fully understand the https in their browser. It's understandable; it's a techy type issue, especially if you're trying to implement it on your website. Let's get started on clarifying things.
SSL definitely has something to do with security, but what? With all the news about Edward Snowden, government monitoring, the ever present 'hackers' and other things going on, it's important to understand what SSL is for and what it does not do.
When you visit a website, your browser sends lots of information between your computer and the server hosting the website. The URL is obvious, that's how the server knows which page to display for you. Beyond that, there are cookies, headers and POST data that may also be sent. Using SSL helps to encrypt all of this data as it's sent from your browser to the server. Once it's on the server, the data is unencrypted so that the server can understand the data you sent.
This 'on the wire' encryption between your computer and the server is important because it prevents 'bad' people from snooping in on the conversation your computer is having. SSL prevents intercepting that data. Whoever may be snooping on your connection can see that you visited a specific website, but they can't tell which pages you went to, anything about your session or any information you've put into the website.
Let's take each of the bits and pieces I mentioned you transmit to a site above and describe how SSL prevents it from being read:
The domain that you're connecting to is sent 'in the clear', meaning that anyone can see the websites you are visiting. The path to a specific page would be encrypted. So, someone may know you're visiting WebMD a lot, but they wouldn't be able to tell that you're going to /why-are-my-fingers-turning-green. Depending on your medical issues, political interests or personal interests, the path to a specific page on a website can tell volumes about you. Visiting a website with SSL ensures that the specific pages on a site you visit can't be determined.
Cookies can be used for everything. Much of it is used to identify you to the website you're visiting so that they can tailor content to you. Specifically, the Joomla's session cookie is a very valuable piece of information. If someone captures this value, they can insert it into their browser and will appear as you when they visit the site, possibly giving them full admin access.
Unlikely? Back in 2010, Firesheep was released which automated the process for your coffehouse patrons to steal everyone's session token on the network for Facebook and Twitter with a nice graphical interface.
SSL has been required on Facebook, Twitter and most other social networkds for the last few years to prevent these kind of attacks due to how easily they can be performed.
Logging into a website with your username and password? Transferring money from one bank account to another? Posting to a forum thread about some very sensitive topic? All the information you add to a form and click "Submit" on is contained in POST data sent to the server. If that's being sent to a non-https website, the data is wide open for anyone to read as it heads to the server.
The data communicated between your browser and server is encrypted with SSL. Once your communication arrives at the server, it's decrypted for the server to use as necessary. Information about you stored in the site's database, written to log files or cached on the server is not necessarily still encrypted. If that website gets hacked, then all the data that was encrypted when it was sent to the site could be free for the taking.
For this reason, Joomla stores passwords in an encrypted form. Banks have PCI Compliance tests, which ensure that credit card data and other personally identifiable information is encrypted as well. This 'at rest' data on a server is not affected by SSL in any way. Anything sensitive you do on a site, you have to hope, is being protected as well.
Even though many sites now use SSL by default, taking a look at the Have I Been Pwned website will give examples of hundreds of millions of compromised account data that has been taken from the databases of major websites. SSL is big part of the battle, but not the whole solution.
Long ago, SSL added to the overhead of loading a website. Now, it essentially doesn't. Processors are built to do encryption on the fly and super fast, so there's virtually no performance impact.
Installing an SSL certificate used to be a horrendhous process. Some hosts still make it intentionally hard or want to charge you huge yearly fees to use their own certificates. Long ago, we created a full guide on how to get and install an SSL certificate for less than $20 per year. That guide is still useful if you need to install your own SSL certificate. Things have become even easier since then though with tools like Cloudflare offering a content-delivery network, firewall and SSL for your site for free.
Having the green padlock will make your site more secure. It does give a slight improvement in search engine rankings. It will definitely make your site look better to many visitors who have come to expect SSL enabled.
SSL does not mean you can forget about security altogether. Keep Joomla up to date. Keep your extensions up to date. Make sure your host keeps Apache, PHP, firewalls and other bits and pieces of your server up to date. SSL is a big piece of the security puzzle, but it's still just a piece.
Hopefully the above is clear on why you need SSL, how it's not hard to implement and how it will only provide positive benefits to your site. If you're unsure of something or think we've missed a valuable point, please post in the comments below.
