Do I need an SSL certificate if using a secure webservice?

Question

I'm using a third party web service. In order for my users to be able to access their third party account, they need to log in. I provide the interface for them to log in to the third party site from my site. My question is, do I need a SSL certificate if the webservice already provides one? The webservice has a special Login method, which uses the https protocol. Does this mean that I don't need one for my site, or will I have to purchase a SSL certificate for my site?

Thanks

Answer 1

I think you need to explain a bit more about what you are doing.

Are you using iframes or redirects so that the third party site can do the authentication? If so, then you're probably fine and don't need your own certificate.

If, on the other hand, the user is making HTTP requests to your site that contain their credentials then you've got a problem. Technically speaking, you don't need to use SSL for this, but it's kind of bad behavior. If you're going to accept user credentials for some third party you should at least try to match the third-party's level of security.

Answer 2

Because your users log in through your site and will provide their credentials to your web application, you should attempt to protect them as well as you can. So you should enable SSL on your site and get a certificate.

That said, if you don't care about security, then it would also work without an SSL/certificate.