Is SSL required for a website if the data is actually passed securely to the server?

Question

I have a fairly basic query that I hope somebody can help with. A website www.example.com presents a form to the user which collects a bunch of personal data. e.g. name, email, telephone.

The full URL is http://www.example.com/

On submit the form's data is collected via JavaScript, POSTed via an AJAX call to www.example.com/process.php and passed to the server via a secure API call using a curl request.

The full url provided in the curl request is https://api.mysecuresite.com/

Do I need to provide an SSL certificate for www.example.com?

Answer 1

Yes.

The data could be intercepted between the browser and http://www.example.com/process.php.

(Consider an analogy: You take a large amount of cash out of the bank, hold it up in the air and walk two blocks down the street. Then you put the cash in an armored van. Is this is safe way to handle the cash?)

Also: A man-in-the-middle attack could inject a script into http://www.example.com before it gets put into the HTTP request to http://www.example.com/process.php. This could also intercept the data even if you were making the Ajax request directly to https://api.mysecuresite.com/.

Additionally, users will be informed that http://www.example.com is insecure, which will (correctly) discourage them from trusting any assurances you make that their data is safe.