Your Connection is Not Secure: Does Your Website Need SSL?
When browsing the web, you are likely seeing messages like "Not secure" and "This connection is not secure." If you own or manage a website, this is of particular concern, as you want people to feel comfortable when submitting information on your site. That concern has been heightened as people hear about data breaches and hacks at major companies. How should you respond to these concerns?
If your website is essentially a simple online brochure, implementing SSL may not be worth the expense. However, many websites have contact forms or accept credit card payments which warrant the need for more security. Many are also built using Content Management Systems (CMS) like WordPress which have login pages for administration, and as these sites are a common target by hackers, the extra security provided by SSL is helpful to have. For e-commerce sites, SSL is required to meet PCI Compliance requirements.
What is SSL?
TLS/SSL (Transport Layer Security/Secure Sockets Layer), often shortened to SSL, is an Internet communications protocol that helps protect data transfers between websites and browsers. Without SSL, the passwords or credit card numbers you use for online purchases would be transferred over the Internet in plain text, where they could easily be viewed if intercepted. The protocol renders a URL as HTTPS in the address bar of your browser.
When a valid SSL certificate is configured on your website, it creates an encrypted connection between the web server and each individual web browser session. The encryption encodes the content transferred back and forth so it can’t be understood by a third-party (known as a man-in-the-middle exploit) who might be scanning the transmission as they don’t have the private key to decode it.
Benefits of SSL
Securing a website with a SSL certificate offers these advantages:
- Personal or private information shared on the website is secure.
- Signals that website is trustworthy by showing the SSL padlock or a green color in the address bar.
- Identity of the website domain is verified so users know it is valid.
- Data transfer integrity is verified, as it would be noticeable if modified or corrupted.
- HTTPS is now a ranking signal that can give a small SEO ranking boost in Google.
Does Your Website Need an SSL Certificate?
The primary reason to consider an SSL certificate is for a website that transfers private information. This could include the following scenarios:
- Credit card transactions. A web form that asks for a credit card number without SSL sends that number across the Internet in plain text. Not only is this risky for your business and your customers, but it violates PCI Compliance regulations, which can result in fines.
- Logins. When people login to your website, it is advised to use SSL to protect usernames and passwords.
- Account pages. For websites with private account or member sections, it is wise to secure the content on these pages.
- Forms. Forms that collect information, such as contact forms, are often not encrypted. As identity thieves can attempt to steal contact information, form should use SSL.
- Downloads. Private information sent to a user, such as information products or other downloadable files, may be secured with SSL.
- Trust. Google Chrome and Mozilla Firefox now label non-SSL login pages as non-secure, so adding SSL will improve trust. Seeing the padlock or green color can also increase trust.
- SEO. While not currently a major factor in search rankings, website owners claim some ranking improvement when they put SSL on their entire website. Additionally, Google’s Accelerated Mobile Pages (AMP) framework, which loads faster and helps with mobile SEO, requires SSL.
It is possible to only secure certain website pages, such as the login and checkout pages. When going from HTTP to HTTPS pages, however, there is a danger of a user’s session being hijacked, so using SSL on the entire website avoids this. Also, for SEO purposes, it is recommended to use SSL on your entire website.
SSL sounds great! Why not?
- Cost of SSL certificate and implementation. This can cost hundreds of dollars a year, depending on which certificate you buy.
- Not all web designers are familiar with implementing SSL.
- Requires a dedicated IP address, though the site can have multiple domains or aliases.
- Some hosting providers have restrictions on IP addresses and control panels, which may require an upgraded package.
- Short-term SEO disruption when switching a website to SSL. Google views HTTP and HTTPS as different URLs, so this needs to be managed carefully.
- Mixed-mode problems when HTTP and HTTPS content is combined, which causes error messages or hides content.
- Some third-party plug-ins, applications, widgets, and ad networks do not support being embedded in an SSL website and could stop functioning properly.
Of all the factors listed above, #7 may have the biggest short-term impact. Adding SSL to a CMS that has plug-ins, especially if they are using third-party services, would require ongoing testing of all current and new plug-ins and services with SSL. Otherwise, #6 becomes an issue, as some embedded content would not be HTTPS. For a CMS, this means both implementation and website management are important with SSL.
In addition to standard SSL, there are also options like Let's Encrypt and Cloudflare One-Click SSL, which are cheaper and less complicated to implement, but which have notable limitations compared to standard SSL. We recommend looking at your security requirements before deciding which SSL path to choose for your website.
- SSL only protects the transmission of data between the web browser and the web server. It does not, in and of itself, offer protection of the data outside the communication path. In other words, SSL does not guarantee that other security problems present at the client’s or the web server’s end will be mitigated. Things like lack of virus protection, lack of firewall protection, phishing attempts in email messages, will not be alleviated by SSL. SSL does not eliminate the need for good security practices and protections outside the web browser or web server.
- The encryption/decryption process protects the data transferred but does require more system resources at both the web browser and the web server end - the process is CPU intensive. Generally, this is not a serious issue unless your website transfers very large amounts of data.
Due to website vulnerabilities and the proliferation of hackers, webmasters are increasingly encrypting websites with SSL. We recommend taking a step towards greater security by installing a certificate on your website. If you process credit cards, it’s mandatory. For confidential information, it’s highly recommended. Otherwise, you can live without a SSL certificate for now, but consider the benefits. If you have questions or need any assistance with a SSL implementation, contact Crown Point Solutions today. Or if you’d like to learn a little SSL history, keep reading.
Questions about whether SSL is for you?
Please call us at 970-221-0082.
Appendix: A Brief History of SSL
In the early days of websites – the 1990s – the usefulness of the World Wide Web for the exchange of personal and financial information became obvious. Keeping that information private and secure became a necessity. In the latter 1990s, Netscape developed the Secure Sockets Layer (SSL) protocols to allow private information to be exchanged between a web browser and a web server in a secure manner. SSL offered three advantages:
- Privacy through encryption.
- Identity authentication through certificates issued by a trusted authority.
- Reliability through maintenance of a secure connection using message integrity checking.
SSL version 1.0 was never officially released, SSL 2.0 was released in 1995, and SSL 3.0 was released in 1996. Each version release strengthened the process of encrypting and protecting the data transmission process. During that time period, trusted certification authorities (CA) were established (Verisign, Thawte, etc.) to issue “SSL certificates” that verified the identities of websites while providing a way to share and validate a public key to encrypt the transmission channel. In 1999, the Internet Engineering Task Force (IETF) developed the Transport Layer Security (TLS) protocols as an improvement of SSL V3.0 and formalized it as an Internet Standard that built on and extended SSL V3.0. TLS 1.0 was released in 1999, TLS 1.1 in 2006, and TLS 1.2 in 2008. Due to existing security vulnerabilities, the use of SSL V2.0 was deprecated (prohibited) in 2011; the use of SSL V3.0 was deprecated in June 2015 in favor of TLS 1.2 . Although TLS has renamed and replaced SSL, the acronym is still used today to refer to encrypted traffic between web browser and web servers, and remains the common name for certificates issued by Certification Authorities – SSL certificates.