SSL for basic contact form

Sully

I'm curious as to peoples thoughts on the use of SSL for Contact Forms. Usually I would use them where credit card information is being passed but I wonder for data protection is it wise if peoples contact numbers and addresses are being passed?

28064212

Depends on the value and confidentiality of the contactees e.g. a website for victims of domestic abuse would very much be expected to protect any information submitted as much as possible. The local coffee shop with a feedback form, not so much.

However, SSL is pretty easy to set up, and with Lets Encrypt coming down the line pretty soon, it's about to get even easier. It's rapidly going to become the default for a lot of websites, and there's no real downside to it

Giblet

If you are passing cookies, you should use SSL everywhere, even if the cookies are https only, not just for pages where you post info.

Talisman

You can get a free SSL certificate from StartSSL.com so it's worth having the additional security. Their website looks like it was thrown together in the 1990s but the certificates work.

Let's Encrypt should be publicly launching their service next couple of weeks unless it has been postponed again but there hasn't been any announcement.

salamanca22

Why not? You can get them super cheap / free nowadays and it gives visitors a sense of safety when they see that the page is being served over https. If your site is behind cloudflare then you can turn on and off ssl quite easily and for free.

Raging_Ninja

Just use SSL on the entire domain by default - it doesn't cost you any more than picking and choosing pages where you want it implenented.

Sully

SSL is cheap enough, but I had wondered have peoples attitudes changed as we head towards a more 'data protected' future than we had before. I have them on basic contact forms because they look for addresses and contact numbers for making a reservation for accommodation. No Credit Card information is passed. Seems that people are in broad agreement to keep SSL for these type of forms (by the small sample here).

bpmurray

You'll notice that many companies now use ssl on every page, including static content, so you might as well do that if you have the cert.

Graham

Sully wrote: »

Seems that people are in broad agreement to keep SSL for these type of forms (by the small sample here).

That's not what I've taken from this thread. The consensus appears to be why wouldn't you use SSL for your entire site.

To add Googles thoughts on the subject:

HTTPS as a ranking signal

over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS.

TrueDub

Interesting article on The Register about a new encryption effort called letsencrypt.

Thinking of trying this out with an old domain I have lying around, just to see how it works.

Tom Dunne

TrueDub wrote: »

Interesting article on The Register about a new encryption effort called letsencrypt.

Thinking of trying this out with an old domain I have lying around, just to see how it works.

That's a fantastic initiative.

In the college where I work, we did a bit on self-signing certificates, but the students generally didn't get it and the college wouldn't pay for certs.

I might try this with a few projects after Christmas.

TrueDub

Tom Dunne wrote: »

That's a fantastic initiative.

In the college where I work, we did a bit on self-signing certificates, but the students generally didn't get it and the college wouldn't pay for certs.

I might try this with a few projects after Christmas.

Please let us know how it goes, it's a really interesting approach to security. and I'd love to find out if it's as easy as it claims to be.