1

We are currently developing a web application which involves map APIs. Most of the map API providers don't provide any SSL support (e.g. Yahoo! doesn't). What will be the security impact of using map APIs without SSL?

I am integrating the map API in one of my web pages. Is it safe to implement a website without an SSL certificate? What will be the effects/impacts in terms of security?

In real life I have seen many sites without SSL/HTTPS (e.g. Stack Exchange), but as they are big concerns they might have separate team to secure their network. As my company is small we are in need to analyse the impacts of using web APIs without SSL support. Kindly guide me with the impacts of it.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63

1 Answers1

3

All things being equal, SSL doesn't directly impact the security of your server. SSL is not a protection layer around your server. It's a protection layer around the communication between the server and the client.

If your application needs to authenticate with the map APIs, then the lack of SSL exposes the authentication credentials to eavesdroppers between your application and the map provider.

The lack of SSL also means that you can't be sure that the data you're receiving from the API providers is genuine. An active attacker (man-in-the-middle) can substitute the data in transit or impersonate the map provider altogether.

If the data is going from the map providers from your server, then in practice, this is not a major concern: only backbone ISPs can attack in this scenario. The entities that are in a position to intercept communications between datacenters are also in a position to plant spies directly inside datacenters and service providers.

If the data is going directly between your application's clients and the map providers, this significantly increases the exposure due to the lack of SSL. Desktop users are frequently in a position where their traffic can be intercepted by anyone nearby (wifi), by an employer, school, hotspot provider, etc. Offering at least the ability to use SSL would be strongly recommended.

Regardless of whether the map data providers support SSL, you should support SSL for the communication between your servers and your clients. Certificates are cheap, and HTTPS is easy to set up for most applications.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179