The argument for using SSL is to prevent some malicious user who has gone through the pains of snooping your traffic being able to read your traffic. So while it may make sense if you are using an unsecured wireless (non WPA2) network to use SSL when logging on to your bank account or giving your credit card number, I find it difficult to see it's neccessaity in more common business cases.

Why even bother with SSL? (when your client is not going to be on an unsecured wireless network)

The only way someone can snoop your particular HTTP connections and data therein is if they have admin access to your router (and then only if there is some facility to monitor/copy traffic), installed some tool on your machine (a key logger of course would by pass SSL anyway) or they monitor you at the ISP (for which a warrant is required in most jurisdictions).

Update Warning Some jurisdictions are not as free as you may think, particularly the 1st and 2nd world, e.g. in the UK, government may soon not require a warrant: http://en.wikipedia.org/wiki/Communications_Data_Bill_2008 which will probably entail the ability to read websites as they were historically (i.e. decrypt SSL) and the US's "Patriot Act" http://en.wikipedia.org/wiki/US_Patriot_Act#Title_II:_Surveillance_procedures

Furthermore:

• Accepting SSL connections server side adds significant load as the establishing of a connection is processor intensive (during the generation of secret keys).
• Publicly trusted SSL certificates have to be purchased from a 3rd Party periodically

UPDATE: I am actually using SSL, though I thought it worthwhile to ask the question anyway. Certainly I think there are time SSL is not necessary. Maybe this could be turned into a community wiki of the pros and cons of SSL? If so how?

There seems to be commonly occurring myth in the answers below: "anyone between you and the server can eavesdrop on you"...

• This is not not possible on the Internet as the low level TCP routers only forward packets where they have to go and even in the same session can be routed through different routes, and no one can look at these packets except in extreme cases - technically or lawfully.
• As for someone at the ISP looking at your traffic I wonder why they would signal you out and look at the 'so important data' which no doubt is boring to them, this is also illegal without a warrant.
• On your LAN (except wireless) unless you are using a dinosaur Hub which broadcasts every packet there is no way listen on someone else's traffic - this is not possible because the hardware simply does not send the packets to you even if you have your network card in promiscuous mode and are using a sniffing tool such as Snort or Wireshark.

Passive ARP poisoning is one way to listen in but has to be done internally and should be picked up as name conflicts etc. start occuring and often the default gateway would be static so would be v. difficult cause the default gateway will be on before you.

SSL should be used anywhere where you are communicating information that should not be public. It is a very dangerous assumption to believe that no-one is listening to traffic between your computer and the remote server.

All someone needs to do to snoop traffic is be on your network - they don't need admin access to your router. Without using SSL for sensitive communications, a single machine with a virus on a coworkers computer is all that is needed for stealing your identity.

The ISP also has access to all network traffic - how much do you trust their techies?

Dear User,

We've decided against encrypting our internet traffic because we just don't think it's important. We decided that it's really too hard to monitor internet traffic, so if anyone really is prepared to go to that effort, well they deserve all the data they can get their hands on. If you're using an old style of router, have corrupt IT staff and/or co-workers, or someone just doesn't like you and decides to steal your data, we accept no liability.

We advise against you telling anyone about our decision, as this will direct unwanted attention to our IP traffic.

Kindest Regards,

Good Enough Programming

Disclaimer: If you are a hacker and stumbled across this message while monitoring IP traffic, we politely point out that what you are doing is illegal, and request that you pretend you never saw it.

The problem is that using, say, WPA2 only secures the connection between your computer and the router. There is a large piece of unsecured network between the router and the destination - that's the design of the internet. You don't know who is along the path and there could be any number of malicious (or just nosey) listeners out there. They may not even be in your jurisdiction so preventing eavesdropping may well be impossible.

SSL gives you an encrypted tunnel all the way to the other end.

If you're talking about a small company LAN where no traffic leaves the internal network then sure, don't bother with SSL if you don't want to. But if anything sensitive goes across the internet then you really want to use SSL to stop anyone seeing it. It's all about how important the information is.

One thing to be aware of is that many websites use cookies to remember login information. If those cookies go across the internet in the clear then it is fairly trivial to hijack the session - think FireSheep. Thus, you need to be very careful about what you consider to be "sensitive" information. Given that many business applications are moving to remote servers (I think the young'uns call it "the cloud") this is not a minor issue.

Long story short, use SSL if there is anything you don't want anyone else to see going across a network that is not entirely in your control.

SSL provides authentication and encryption.

It is somewhat difficult to MITM an unencrypted connection, but not so hard on the unencrypted wireless network you gave as an example. Any network that allows you to ARP spoof (many switched wired networks) allows you to MITM as well. But you're forgetting about every router along the way. Remember a few months back when a (hopefully) poorly configured router in China routed a significant, though small in relative terms, portion of Internet traffic? They could've seen your plaintext. So can other customers on a cable network, and so on.

But SSL also provides authentication. If I get the private key to a valid SSL cert from you, I'm damn confident that you are who you say you are - doubly so if it's a competent CA.

But the bigger concern is - you don't quite seem to understand SSL, so I'd advise you against making a decision one way or the other by yourself - at least until you read more. SSL does not require you to generate a new key every request, and in fact would not work if it did. Furthermore, any reasonably-recent computer can handle thousands of SSL requests simultaneously - the algorithms are very fast. Furthermore you can use encryption accelerators that offload the work to a dedicated piece of hardware.

If you think you might need to use SSL to secure some data, and often if you don't, there are almost no reasons to avoid it. Yes there is some expenditure involved but any data of consequence is worth the $300/yr.

EDIT I read your comment - this is a client app? The solution in your case is probably to use self-signed keys, and you can distribute the public key with the app. This allows you to encrypt and verify that you're talking to who you should be.

I don't think that every website needs SSL, if you do then use it, but there are cases where you want to be able to authenticate user without having to use SSL.

I've created (javascript->perl) single use random hash authentication for just this purpose.

http://www.furiousgryphon.com/jauthenticatedemo.html

https://github.com/thomasoeser/jAuthenticate

General understanding has perhaps moved on over the past eight years. This site provides a good answer:

https://doesmysiteneedhttps.com/

Even when there is no 'sensitive' data transferred, SSL prevents page content injection.

One of the things most people here are forgetting to address is what do you consider sensitive data? What one person considers boring useless data may be considered highly confidential by someone else, or vice versa. So what are you going to do? Use SSL on all the data to play it safe so that you don't get sued? Get real. Take a chat program for example. Most would agree that encrypting the username and password would be important, but what about the chat text itself? Most chat is mundane stuff and eliminating SSL will provide better performance. Personally, I would let the end user decide what is important and then provide SSL for only those types of information that they feel needs to be encrypted. That's what Google does with Gmail. You have the choice of using SSL or not.