I know many people have asked the same question but I think it really depends on the type of the website. So that's why I am asking the question about my website.
I am developing a PHP web application for an insurance company. the application contains all information about the customers but this app is only used by the admins and salesman of the company. The admin creates a user then that user can add customers or renew their insurance. the address will be something like example.com/manage/ and the login is only for the users that admin person has created. Of course I will be using validation, salt, encryption, etc. But do I need SSL certificate?
Best Answer
Yes, whenever traffic is transported across an untrusted network.
Using HTTPS encrypts the traffic. Otherwise, an attacker could read customer information or internal documents in the clear whenever they are transmitted. And if a password or other keys are ever transmitted as clear text, then an attacker could use those to get even better access.
SSL certficates can authenticate a server to a user which makes man in the middle-attacks more difficult. Otherwise, an attacker could set up a proxy between the user and the real server, and record all communications even when they're encrypted.
Consider the following attack scenarios:
A sales rep connects to your website while sitting in a coffee-shop. The Wi-Fi has been compromised, and all network traffic is recorded by a malicious hacker. If you do not verify the identity of the server and encrypt all traffic, the attacker can record and misuse confidential information or sensitive customer data, e.g. by selling the data to a competitor.
The physical internet connection of your office is compromised. Your website is hosted outside of the office. All requests to the server are intercepted and redirected to a proxy which records all information. The same chaos as above ensues.
This is not of an issue when the server is only accessible via an Intranet which is already sufficiently secured and encrypted (e.g. via a VPN). Note that in some jurisdictions there are strong privacy requirements when handling customer data. Should you be breached without having secured the data properly, you could face legal action there.