The Web can be a malicious place for individuals and businesses. The need to protect website users was apparent from the 90s, and will continue indefinitely. We often use passwords for protecting our online resources, and SSL is used to protect data whilst it is in transit on the Internet.
When you enter a password, or any other information on a form online, or send data such as in an email, that data has to travel from your browser or mail client to the server that will process it over the network. Whilst in transit, the data can be intercepted, in what is known as a man-in-the-middle attack.
During a man-in-the-middle attack, an attacker can secretly relay and possibly alter the communications between two parties, who believe that they are directly communicating with each other.
One example of a man-in-the-middle attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them, to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It is the predecessor to the modern Transport Layer Security (TLS) encryption used today, although the names for the two protocols are often used interchangeably.
Since they are so closely related, the two terms SSL and TLS are often used interchangeably and confused. Some people still use SSL to refer to TLS, others use the term “SSL/TLS encryption” because SSL still has so much name recognition.
SSL works by encrypting information that travels from a web browser or email client to the intended server, such that anyone who tries to intercept the communications, will only get scrambled data, that is impossible to interpret or decrypt.
The protocol initiates communication in the authentication phase, where the browser or the email client and the server, in a process known as a handshake, establishes the identity of the communicating devices. The handshake occurs before any data is sent over the network, and once completed, no third party is able to intercept the information passed between the devices, as it is digitally signed.
In order to ensure that your communications with a server are secured by SSL, you will notice several things in your browser.
The first is that the address has HTTPS instead of just HTTP. A web address that is not secured by SSL will be of the form, “http://example.com”, whilst a secure site address will appear as, “https://example.com”.
You should also look for a closed padlock icon in the address bar, sometimes followed by the words, “Secure”. If the site is not secure the closed padlock will be absent, and an icon with the words “Unsecure” may be present.
By clicking the icon in the address bar, you can get more information about the website and its security.
Please note that, even though a web address might be given with an HTTP prefix, the server, if configured properly, should redirect the link to HTTPS if the site is secure. Whether a web address has the HTTPS prefix or not is not normally shown by the browser, you must double-click in the address bar to show the prefix.
As of April 2016, you can get a free SSL certificate from Let’s Encrypt which has to be, often automatically, renewed every 3 months. Before that, getting and maintaining an SSL certificate was very expensive. There are other organisations offering free SSL certificates but Let’s Encrypt is the most popular.
You can still get an SSL certificate that you pay for. If there is a free SSL certificate, why would you want to pay for one? The answer is that with paid certificates you have better liability protection, in the event that your site security is breached. This means that in the event of a data breach, you are insured based on your warranty level.
The obvious reason why a website should set up SSL is that, you want to provide a secure environment in which you interact with website visitors. You want to provide an environment in which your visitors can be rest assured, that the information they share with your website is secure.
Another reason is that browsers will display your website to be insecure if it does not have SSL. This is just in bad form. It means that visitors to your website will be shown a message saying that the site is insecure, and most people will go running when they see this, and you will lose out on visitors and by extension potential customers.
A website that is displayed as insecure in the browser is unprofessional and bad for business. When visitors come to your website, they need to be assured that they are in a secure environment, and having SSL goes a long way to ensuring them of this.
Furthermore, not having SSL is bad for Search Engine Optimization. Google and other search engines will rank an SSL enabled site significantly higher, than a site without SSL, even if the two sites may rank the same in every other respect, without considering SSL.
By all means, having SSL should not be an option for a website. It makes communications secure, promotes trust with users and you can get it free. Hence there should be no excuse as to why your website should not implement SSL.
Want to hear some more from the Webmobyle Blog? Please