Reputation: 804
Is it mandatory to use SSL?
I'm developping a web site for a broker (JSF 2 + richfaces + oracle 10g), and i wanted to have your opinion concerning HTTPS (because i think it's not necessary in my case, since the user won't give any important details).
So:
- to enter the web site, the user has to authenticate himself (using JAAS)
- there's a page showing Stock Market data (it's financial data, so it's not that important)
- the user can buy/sell stocks : he gives quantity, price, the account ( not bank account) for which he will buy/sell
- the user can see his accounts, what stocks he has, past operations, etc....
Is it necessary to use SSL in my case ?
Upvotes: 1
Views: 109
Answers (4)
Reputation: 120997
Yes, it sure sounds like it. Authentication usually involves sending a username/password combination to the server. That should never be done in clear text, so that requirement alone would make SSL a good idea. Furthermore, buying and selling stocks sounds like something that you would want to do in a secure manner.
I don't even understand what your concern is. Having an SSL protected website does not mean that you have to write a single line of code. It's just a question of buying an ssl certificate and configuring your web server.
Upvotes: 7
Reputation: 53516
There is not "good" way to get authentication tokens securly (in your case passwords) without using HTTPS or a one-time-password system.
In any case, I would sure want this type of access to be HTTPS secured else I might not trust it.
Upvotes: 0
Reputation: 181
If the user is passing anything sensitive (and I'd say the number for a stock trading account is hugely sensitive) then HTTPS is crucial, in my opinion.
The way I'm seeing what you described, you have a user identifying himself/herself, and then you're passing basically all the info about his/her account over the web. Definitely secure that as much as possible.
Upvotes: 0
Reputation: 61467
I think it is necessary indeed, as it involves real money. Even if the user doesn't give away any details, there still can be man-in-the-middle attacks between the user and your server, which would enable anybody to gain access to the server with his credentials.
If it doesn't involve real money (it's not clearly written out), then you won't necessarily need it.
Upvotes: 1
Related Questions
- Should all sites use SSL by default?
- is use SSL only on server side safe?
- Is SSL required for a website if the data is actually passed securely to the server?
- Is SSL necessary on localhost?
- Why should i use ssl?
- do i need ssl on my web application?
- Do I need to install SSL on my server?
- Do I need to use SSL on a web page if the web service already uses it?
- Do SSL required to prevent eavesdropping?
- Going Without SSL Certificates?