5

So I was reading some comments on a popular forum about SSL encryption and how some websites pass their login form data as plaintext and don't use SSL or TLS. I understand that using an encryption method allows data to pass to the server securely and stops a 3rd party from eavesdropping, and then allows decryption on the server-side.

But lets say there isn't a 3rd party sniffing the packets - is there any benefits to using SSL in that case? Or is SSL's sole purpose to encrypt packets to stop sniffers?

Thanks in advance.

BubbleMonster
  • 267
  • 3
  • 7

3 Answers3

16

Well, yes, if you live in the Care Bears Wonderland then nothing bad can happen. Unfortunately, in what is colloquially and pompously known as the Real World™, there are Bad People. Evildoers. Wicked individuals who like to spy and eavesdrop and alter the nice data packets.

SSL (now known as TLS) applies encryption to prevent spying, integrity checks to reliably detect alterations, and authentication to prevent impersonation. The encryption part is only against spying.

If all your data is public, then you don't really need encryption, but you may still want the other characteristics of SSL, so that users know that they are connecting to the genuine site, and that the pages and documents they obtain from the site have not been altered in transit.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
6

Well, SSL/TLS or encryption in general is a lot about protecting sensitive data or authenticity of this data. If you don't have any sensitive data to protect because it's i.e. anyway public information then you don't need encryption at all.

Encryption adds a layer of additional complexity and has a potentially negative impact on performance. So if you don't need it, you just should not use it - it's very simple.

Edit: On the internet there is always potentially a sniffing 3rd party, by concept.

binaryanomaly
  • 1,291
  • 3
  • 13
  • 21
  • 4
    Even with public information, the possibility of someone altering the packets to introduce incorrect information can be a threat. – Brilliand May 02 '14 at 20:17
  • Theoretically there's always everywhere an attack vector. But practically speaking the opportunity costs of encryption (complexity, performance) are still high enough to only apply it when it's really needed and beneficial. Stackexchange for example is plain http by default... – binaryanomaly May 02 '14 at 20:30
  • About sensitive data, though: sites with persistent user sessions (like Facebook or Stack Overflow or anywhere you log in) are vulnerable to cookie hijacking attacks à la Firesheep if the channel is not secured with HTTPS, so that a hijacker can impersonate other users on e.g. the same open cafe Wifi connection. This blog post expands on that a little, using the specific case of Stack Overflow as an example: http://www.troyhunt.com/2012/08/is-stack-overflow-secure-kind-of.html – Tim Smith May 03 '14 at 00:13
  • I tänk SPDY require SSL – Mikael Dúi Bolinder May 03 '14 at 07:45
  • The purpose of encrypting your communications is not only to protect sensitive information (logins, session cookies) but also your browsing history. You would not publicly advertise your browsing history to everyone, yet every unencrypted page load can technically be seen by every node in the chain between you and the server. With encrypted traffic, the only relevant info they can extract are IP addresses, which could in fact map to multiple web sites hosted on the same provider. – sleblanc May 04 '14 at 07:41
6

SSL has two important parts:

  • The encryption, so nobody can sniff or even worse modify the data in transit.
  • The authentication, e.g. the client can be sure who it is talking to (and sometimes also the server requires authentication from the client). If there is for instance a DNS spoofing attack, the client can detect, if it is talking to the wrong server.

Encryption without authentication is useless, because then you cannot detect a man-in-the-middle (e.g. no end-to-end encryption but end-to-mallory and mallory-to-end encryption). Authentication without encryption can make sense, but it is usually not used.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424