To Be Secure or Not Be Secure: Do You Need SSL and HTTPS?
Secure Sockets Layer (SSL) is an Internet communications protocol that helps protect data transfers between websites and browsers. Without SSL, the passwords or credit card numbers you use for online purchases would be transferred over the Internet in plain text, where they could easily be viewed if intercepted. Also known as TLS/SSL (Transport Layer Security/Secure Sockets Layer), the protocol renders a URL as HTTPS in the address bar of your browser.
When a valid SSL certificate is configured on your website, it creates an encrypted connection between the web server and each individual web browser session. The encryption encodes the content transferred back and forth so it can’t be understood by a third-party (known as a man-in-the-middle exploit) who might be scanning the transmission as they don’t have the private key to decode it.
Benefits of SSL
Securing a website with a SSL certificate offers these advantages:
- Personal or private information shared on the website is secure.
- Signals that website is trustworthy by showing the SSL padlock or a green color in the address bar.
- Identity of the website domain is verified so users know it is valid.
- Data transfer integrity is verified, as it would be noticeable if modified or corrupted.
- HTTPS is now a ranking signal that can give a small SEO ranking boost in Google.
Does Your Website Need an SSL Certificate?
The primary reason to consider an SSL certificate is for a website that transfers private information. This could include the following scenarios:
- Credit card transactions. A web form that asks for a credit card number without SSL sends that number across the Internet in plain text. Not only is this risky for your business and your customers, but it violates PCI Compliance regulations, which can result in fines.
- Logins. When people login to your website, it is advised to use SSL to protect passwords.
- Account pages. For websites with private account or member sections, it is wise to secure the content on these pages.
- Forms. Forms that collect information, such as contact forms, are often not encrypted. As identity thieves can attempt to steal contact information, form should use SSL.
- Downloads. Private information sent to a user, such as information products or other downloadable files, may be secured with SSL.
- Trust. Google Chrome will soon label non-SSL login pages as non-secure, so adding SSL will improve trust. Seeing the padlock or green color can also increase trust. Internet Explorer and Mozilla Firefox will most likely follow Google’s lead and eventually flag ALL non-https sites as insecure.
- SEO. While not currently a major factor in search rankings, website owners claim some ranking improvement when they put SSL on their entire website. Additionally, Google’s Accelerated Mobile Pages (AMP) framework, which loads faster and helps with mobile SEO, requires SSL.
If your website is essentially an online brochure, SSL may not be worth the expense. However, many websites have contact forms and are built using a Content Management System (CMS) like WordPress which have login pages for administration. Further, with WordPress sites being a common target by hackers, that extra security is helpful to have.
It is possible to only secure certain website pages, such as the login and checkout pages. When going from HTTP to HTTPS pages, however, there is a danger of a user’s session being hijacked, so using SSL on the entire website avoids this. Also, for SEO purposes, it is recommended to use SSL on your entire website.
SSL sounds great! Why not?
- Cost of SSL certificate and implementation. This can cost hundreds of dollars a year, depending on which certificate you buy.
- Not all web designers are familiar with implementing SSL.
- Requires a dedicated IP address, though the site can have multiple domains or aliases.
- Some hosting providers have restrictions on IP addresses and control panels, which may require an upgraded package.
- Short-term SEO disruption when switching a website to SSL. Google views HTTP and HTTPS as different URLs, so this needs to be managed carefully.
- Mixed-mode problems when HTTP and HTTPS content is combined, which causes error messages or hides content.
- Some third-party plug-ins, applications, widgets, and ad networks do not support being embedded in an SSL website and could stop functioning properly.
Of all the factors listed above, #7 may have the biggest short-term impact. Adding SSL to a CMS that has plug-ins, especially if they are using third-party services, would require ongoing testing of all current and new plug-ins and services with SSL. Otherwise, #6 becomes an issue, as some embedded content would not be HTTPS. For a CMS, this means both implementation and website management are important with SSL.
- SSL only protects the transmission of data between the web browser and the web server. It does not, in and of itself, offer protection of the data outside the communication path. In other words, SSL does not guarantee that other security problems present at the client’s or the web server’s end will be mitigated. Things like lack of virus protection, lack of firewall protection, phishing attempts in email messages, will not be alleviated by SSL. SSL does not eliminate the need for good security practices and protections outside the web browser or web server.
- The encryption/decryption process protects the data transferred but does require more system resources at both the web browser and the web server end - the process is CPU intensive. Generally, this is not a serious issue unless your website transfers very large amounts of data.
Due to website vulnerabilities and the proliferation of hackers, webmasters are increasingly encrypting websites with SSL. We recommend taking a step towards greater security by installing a certificate on your website. If you process credit cards, it’s mandatory. For confidential information, it’s highly recommended. Otherwise, you can live without a SSL certificate for now, but consider the benefits. If you have questions or need any assistance with a SSL implementation, contact Crown Point Solutions today. Or if you’d like to learn a little SSL history, keep reading.
Appendix: A Brief History of SSL
In the early days of websites – the 1990s – the usefulness of the World Wide Web for the exchange of personal and financial information became obvious. Keeping that information private and secure became a necessity. In the latter 1990s, Netscape developed the Secure Sockets Layer (SSL) protocols to allow private information to be exchanged between a web browser and a web server in a secure manner. SSL offered three advantages:
- Privacy through encryption.
- Identity authentication through certificates issued by a trusted authority.
- Reliability through maintenance of a secure connection using message integrity checking.
SSL version 1.0 was never officially released, SSL 2.0 was released in 1995, and SSL 3.0 was released in 1996. Each version release strengthened the process of encrypting and protecting the data transmission process. During that time period, trusted certification authorities (CA) were established (Verisign, Thawte, etc.) to issue “SSL certificates” that verified the identities of websites while providing a way to share and validate a public key to encrypt the transmission channel. In 1999, the Internet Engineering Task Force (IETF) developed the Transport Layer Security (TLS) protocols as an improvement of SSL V3.0 and formalized it as an Internet Standard that built on and extended SSL V3.0. TLS 1.0 was released in 1999, TLS 1.1 in 2006, and TLS 1.2 in 2008. Due to existing security vulnerabilities, the use of SSL V2.0 was deprecated (prohibited) in 2011; the use of SSL V3.0 was deprecated in June 2015 in favor of TLS 1.2 . Although TLS has renamed and replaced SSL, the acronym is still used today to refer to encrypted traffic between web browser and web servers, and remains the common name for certificates issued by Certification Authorities – SSL certificates.
See All Publications
Ready to Discuss SSL? Contact us at 970-221-0082 to get started!