To use or not to use SSL? Why use SSL always?
The argument for using SSL is to prevent some malicious user who has gone through the pains of snooping your traffic being able to read your traffic. So while it may make sense if you are using an unsecured wireless (non WPA2) network to use SSL when logging on to your bank account or giving your credit card number, I find it difficult to see it's neccessaity in more common business cases.
Why even bother with SSL? (when your client is not going to be on an unsecured wireless network)
The only way someone can snoop your particular HTTP connections and data therein is if they have admin access to your router (and then only if there is some facility to monitor/copy traffic), installed some tool on your machine (a key logger of course would by pass SSL anyway) or they monitor you at the ISP (for which a warrant is required in most jurisdictions).
Update Warning Some jurisdictions are not as free as you may think, particularly the 1st and 2nd world, e.g. in the UK, government may soon not require a warrant: http://en.wikipedia.org/wiki/Communications_Data_Bill_2008 which will probably entail the ability to read websites as they were historically (i.e. decrypt SSL) and the US's "Patriot Act" http://en.wikipedia.org/wiki/US_Patriot_Act#Title_II:_Surveillance_procedures
- Accepting SSL connections server side adds significant load as the establishing of a connection is processor intensive (during the generation of secret keys).
- Publicly trusted SSL certificates have to be purchased from a 3rd Party periodically
UPDATE: I am actually
using SSL, though I thought it worthwhile to ask the question anyway. Certainly I think there are time SSL is not necessary. Maybe this could be turned into a community wiki of the pros and cons of SSL? If so how?
There seems to be commonly occurring myth in the answers below: "anyone between you and the server can eavesdrop on you".
- This is not not possible on the Internet as the low level TCP routers only forward packets where they have to go and even in the same session can be routed through different routes, and no one can look at these packets except in extreme cases - technically or lawfully.
- As for someone at the ISP looking at your traffic I wonder why they would signal you out and look at the 'so important data' which no doubt is boring to them, this is also illegal without a warrant.
- On your LAN (except wireless) unless you are using a dinosaur Hub which broadcasts every packet there is no way listen on someone else's traffic - this is not possible because the hardware simply does not send the packets to you even if you have your network card in promiscuous mode and are using a sniffing tool such as Snort or Wireshark.
Passive ARP poisoning is one way to listen in but has to be done internally and should be picked up as name conflicts etc. start occuring and often the default gateway would be static so would be v. difficult cause the default gateway will be on before you.