Do we even need SSL?

“Do we even need SSL?” — In almost every project where hosting of some kind is involved this question comes up.

While SSL clearly can be improved it is the most easy way of secure transfer between web servers and web surfers.

In which cases is SSL expendable?

IMHO, encrypted data transfer via SSL is expendable when no private data or login credentials are being transmitted between the web server and you or visitors. That merely applies to static web sites only consisting of HTML, CSS, Javascript, images and nothing else.

In all other cases at least certain parts of a web site or web application should be transmitted via SSL only. The most common example is WordPress. Administrative access to WordPress should always be encrypted. There is a quite obvious reason: Imagine yourself in a Starbuck’s or any other place where you can freely access the Internet. You most probably are happy to have access — this is not the time to worry about other people eavesdropping on wifi connections.

The New York Post (via Bruce Schneier) has a nice blog post on this topic (the author meets a security consultant in Wi-Fi coffee shop for a live “hacking” demo):

He turned his laptop around to reveal all of this:

* Every copy of every e-mail message I sent *and* received.

* A list of the Web sites I visited.

* Even, incredibly, the graphics that had appeared on the Web sites I had visited.

None of this took any particular effort, hacker skill or fancy software. Anyone could do it. You could do it.

All Jon needed was a “packet sniffing” program; such software is free and widely available. (He used a Mac program called Eavesdrop.) It sniffs the airwaves and displays whatever data it finds being transmitted in the public hot spot.

I do not consider this even “hacking” as you only have to start a program that dumps wifi traffic. There are a bit more complicated ways that enable you to eavesdrop even on encrypted wifi traffic but that’s another story.

Security evangelist Bruce Schneier encrypts all of his web server’s transfer — so do I. A basic level of security can be obtained just by buying a SSL certificate and installing it/letting someone install it for you. Most web hosting services provide some way of protecting your web site traffic. If you only want to secure your administrative sections of your website and do not care for the extra bit of hassle that is involved with self-signed certificates you can get the security for free.

I do not say everyone should but you should at least let your web server encrypt sensitive data transfer such as administrative logins.

Web fonts slowly picking up pace

Web fonts have been adopted by all major web browsers. What Firefox 3.1+ w/ Noscript users might not know is that Noscript blocks “font face” by default so they do not get to see nice fonts. There are two easy ways though to enable web fonts:

  1. Left-click Noscript icon on the bottom right corner of the browser’s window and enable all “font@” entries in “Blocked Objects”. This will temporarily allow web fonts on the current page.
  2. To enable web fonts permanently left-click Noscript icon on the bottom right corner of the browser’s window and select “Options”. Select tab “Embeddings” and uncheck “Forbid @font-face” and click “ok”.

Do we actually need web fonts?

Yes and no.

Yes: Typography enthusiasts have been waiting for years. Now browsers have widely adopted web fonts and every now and then even a free (to use) font comes along. The time for web fonts is now. And why should print designers have fonts and web designers should not? If man can travel into space the web should have web fonts.

No: Have I been waiting for web fonts? Certainly not. The web got along very well for 16 years without web fonts. I like the web the way it is. Bad readability was mostly caused by bad colors only. To me, web fonts primarily are just another possibility of hurting someone’s eyes.

Beware though: Most fonts have strict licenses which do not allow web distribution. So web designers have to resort to fonts with liberal licenses, Bitstream Vera and Droid Sans being two of them. Check font licences carefully before jumping on the web fonts train!