My webapp requires payment which is handled through Paypal. The user clicks on a button on my website, gets redirected to Paypal and makes the payment there.<p>Paypal then notifies my webapp and redirects the user. In this scenario, do I really need to get an SSL certificate from vendors such as godaddy or verisign?
A certificate is needed basically for two reasons:<p>1. the user has to verify that the site is actually run by you and not by somebody spoofing your site. Somebody could make the user believe he's clicking on your's sites "pay" button, and instead he's sent to a fake paypal site, or a real paypal site with a similar account.<p>2. once the browser knows that you are you, it can securely encrypt che connection. This is useful if your webapp also requires password login etc.<p>Note that encryption is also possible without a trusted certificate (i.e. verified by the 'certificate authority' mafia^H^H^H^H), but at this point, albeit almost impossible to decypher once established, it remains vulnerable to the 'man-in-the-middle' attack, intercepting the key exchange with your site, or simply a spoofing as described in point (1).<p>EDIT: when I said "the browser knows that you are you", by "you" I mean "you" the server, the webapp
gilaniali, to answer your question, you do not need an SSL certificate to protect your PayPal checkout process. The security is all handled on their end. Sure, you could get an SSL certificate, but it seems like a waste of money to me.