I've got a Magento installation on a server. I have been contemplating getting
a certificate for my site. However, since all of the credit card and other
payment options are being processed offline, do I really need it? After
all I can still connect via an encrypted channel to the remote Magento
installation on the server (using HTTPS). The only problem I see is
that such encryption connection is still subject to impersonation
from an attacker mimicking the remote host, so when I access the
admin panel of course such an attacker could steal my password.
However, I doubt this is a likely scenario, especially since
there are also many other e-commerce sites out there, and
most importantly, since customers do not need to access
the admin panel and don't need a secure channel for
browsing products and adding them to their shopping
cart but only need such a channel at checkout time,
and such channel is provided by the gateway
service provider, I don't need to install
one myself.
Would like to hear opinions on this matter. I've read that
SSL certificates make the client more secure, but then
again they will not be seeing the lock icon in the URL
if they are just connecting with plain vanilla HTTP.
Thanks.
Best Answer
The only reason I can see why you really wouldn't want to have an SSL installed is if this will create a poor environment for your customers that you do not have the time or resources to fix.
For example, you may have various assets on your side hard-coded to load over HTTP (scripts, images, stylesheets, etc). Once you start loading the site over HTTPS, you will probably get a bunch of warnings in the browser's console and there will probably be a number of things on the site that will no longer work properly.
If this is the case, you have to ask yourself if it is going to be worth it in the long-run to just fix these things (might take an hour, or in some cases of highly-customized development, a few days) and install the SSL, or instead just leave them alone and deal with potential loss of sales because of a customer's weariness.
For the majority of e-commerce operators, this is a terrible decision. The proper decision is to fix your site to work properly and use SSL. I can see, though, some edge cases where it is more feasible to just leave it alone for now and note down that this needs fixing in the future. With the holiday season coming up, you may want to leave it alone for now and fix it after the busy season, for example.
That all said, @philwinkle is giving you sound advice and ignoring your SSL is just going to make things more difficult in the long run.