“Gartner Listed - mobile application security guide”

September 8, 2015

Security should not cost extra in the Software as a Service model

As we move into a SaaS world, we’re becoming more reliant on third parties to ensure that your data is secure There’s a nasty new trend to  charge extra for SSL security in spite of SSL being now much cheaper e.g. free to roll out.

What’s worse is these companies require that you pay for their  ‘enterprise’ or ‘pro’ plan to allow it. Everyone, whatever the size of their business, should be allowed a secure website.

To me, this is like a car manufacturer charging extra for a lock on your new car unless you go for the high-end trim package.

Service Min price without SSL Min price with SSL Cost differential
WP-Engine $29/month $99/month 341%
Squarespace $8 N/A N/A
Azure App Service $0 $18.87/month N/A
Pressidium $24.90/month $34.90/month 40%

Why are people doing this?

Before SNI (Server Name Indication) became a widely used standard, each SSL website required its own IP address.

This was expensive and a hassle to organise, and there would be more justification to charge when you had to lease extra IP addresses.

SNI allows multiple SSL based websites/APIs to be hosted under one IP address, eliminating that problem.

The cost of a certificate is very low – potentially zero – as QuickSSL shows.

There is a slight additional cost for encrypting the data on the server, however, the load generated is tiny in comparison to the benefits of having your customers data secured.

What are the implications?

Without SSL, there is no privacy or security for visitors to your site. Some people would argue that some of the providers e.g. Squarespace, don’t offer anything to justify the security aspect. I’d argue against that (cookies being leaked, for example) and the privacy aspects alone justify it.

What should you do about it?

Don’t be tempted to ever choose a SaaS product that doesn’t offer full SSL security. And be wary of companies differentiating their plans on this: they shouldn’t, it suggests an arrogant (and wrong) attitude to the security of their customers privacy and security.

As an industry, this needs to stop. It’s not right charging customers more to have their privacy and security intact.