Sure, it costs a little bit of money. But it makes our users little safer when they log into our service. There aren't many levers you have a SaaS product that you can pull to really make user data secure once it leaves your servers.
As pwim said, if you can't recover the cost per user then your company must have some big problems. I always frown at a pricing page that says SSL is an add-on, it demonstrates that whomever is running things behind the curtain isn't really concerned about the safety of user data in their app.
I was baffled by Heroku's $20/month fee for SSL until I found out that SSL on EC2 means you have to have a dedicated Elastic Load Balancer for each domain.
SSL as a feature usually differentiate between sites that accept online payments (need to use SSL on their site payment form) and those that don't.
Those that accept online payments seem to be able to pay more for a service than sites that don't accept online payments.
tl;dr sites that need ssl usually can pay more for same service.
I don't see cost as being a counterargument for a SaaS. I paid about $20 for my certificate, took an hour or so to jump through the signing hoops, serving assets through cloudfront which charges me pennies, and heroku has $20/month SSL support. If you can't recover that cost per user through your SaaS, you have bigger problems.
Imagine a service that offered you ‘hashed passwords’, ‘encrypted credit card storage’, ‘backed up data’ or ‘up to date libraries’ if you pay for their advanced plan. Not cool, right?
All of those things relate to the security of the provider so you expect them as standard. SSL, as a customer facing feature, secures data when it's out on the wilds of the Internet or on the customer's network. It's a bit like charging extra to offer signed courier delivery instead of USPS.
Because IP addresses are hard to get?
Because SSL adds computational overhead?
Because it requires extra staff time to renew certificates?
Because storing keys and even CSRs adds to the security budget and staff training?
Is it just me or is anyone else tired of these blogs on Hacker News? It seems that anyone who has a website and some time can get their opinion to the top of the list.
[+] [-] RKearney|14 years ago|reply
* IPv4 addresses are NOT free by any means.
* Having an SSL certificate requires extra configuration on the server.
* Legitimate SSL certificates are not free (VeriSign, etc, if your site uses StartCom then you're doing it wrong)
That's just a few points.
[+] [-] spindritf|14 years ago|reply
You can use SNI but you probably have one website and one certificate for all customers anyway.
> if your site uses StartCom then you're doing it wrong
Why? (honest question)
[+] [-] mixonic|14 years ago|reply
http://www.getharvest.com/blog/2009/06/unlimited-clients-pro...
Sure, it costs a little bit of money. But it makes our users little safer when they log into our service. There aren't many levers you have a SaaS product that you can pull to really make user data secure once it leaves your servers.
As pwim said, if you can't recover the cost per user then your company must have some big problems. I always frown at a pricing page that says SSL is an add-on, it demonstrates that whomever is running things behind the curtain isn't really concerned about the safety of user data in their app.
[+] [-] ceejayoz|14 years ago|reply
[+] [-] sdfjkl|14 years ago|reply
Using SSL for all private data is an absolute must though.
[+] [-] nirrrrrr|14 years ago|reply
tl;dr sites that need ssl usually can pay more for same service.
[+] [-] pwim|14 years ago|reply
[+] [-] cbs|14 years ago|reply
SLAs are buzzword nothings? Man, the naiveity is simply oozing out of this post.
[+] [-] petercooper|14 years ago|reply
All of those things relate to the security of the provider so you expect them as standard. SSL, as a customer facing feature, secures data when it's out on the wilds of the Internet or on the customer's network. It's a bit like charging extra to offer signed courier delivery instead of USPS.
[+] [-] rodion_89|14 years ago|reply
[+] [-] robinduckett|14 years ago|reply
[+] [-] hahaiamatwork|14 years ago|reply
Is it just me or is anyone else tired of these blogs on Hacker News? It seems that anyone who has a website and some time can get their opinion to the top of the list.
I should try it.
[+] [-] dholowiski|14 years ago|reply