Securing Websites With SSL No Longer Optional
The Web can be a malicious place for individuals and businesses. The need to protect website users was apparent from the 90s and will continue indefinitely. We often use passwords for protecting our online resources and SSL is used to protect data whilst it is in transit on the Internet.
When you enter a password, or any other information on a form online, that data has to travel from your browser to the server that will process it over the network. Whilst in transit, the data can be intercepted in what is known as a man-in-the-middle attack.
During a man-in-the-middle attack, an attacker can secretly relay and possibly alter the communications between two parties who believe that they are directly communicating with each other.
One example of a man-in-the-middle attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
What Is SSL and How Does It Work
SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It is the predecessor to the modern Transport Layer Security (TLS) encryption used today although the names for the two protocols are often used interchangeably.
Since they are so closely related, the two terms SSL and TLS are often used interchangeably and confused. Some people still use SSL to refer to TLS, others use the term ‘SSL/TLS encryption’ because SSL still has so much name recognition.
SSL works by encrypting information that travels from a web browser to the intended server such that anyone who tries to intercept the communications will only get scrambled data that is impossible to interpret or decrypt.
The protocol initiates communication in the authentication phase where the browser and the server, in a process known as a handshake, establishes the identity of the communicating devices. The handshake occurs before any data is sent and once completed no third party is able to intercept the information passed between the devices as it is digitally signed.
How Can You Tell That A Website Uses SSL
In order to ensure that your communications with a server is secured by SSL, you will notice several things in your browser.
The first is that the address has HTTPS instead of just HTTP. A web address that is not secured by SSL will be of the form "http://example.com" whilst a secure site address will appear as "https://example.com".
You should also look for a closed padlock icon in the address bar, sometimes followed by the words "Secure". If the site is not secure the closed padlock will be absent and an icon with the words "Unsecure" may be present.
By clicking the icon in the address bar you can get more information about the website and its security.
Please note that even though a web address might be given with an HTTP prefix, the server will redirect it to HTTPS if the site is secure. Whether a web address has the HTTPS prefix or not is not normally shown by the browser, you must double-click in the address bar to show the prefix.
How Do You Get SSL For Your Site
As of April 2016, you can get a free SSL certificate from Let's Encrypt which has to be, often automatically, renewed every 3 months. Before that, getting and maintaining an SSL certificate was very expensive. There are other organizations offering free SSL certificates but Let's Encrypt is the most popular.
You can still get an SSL certificate that you pay for. If there is a free SSL certificate, why would you want to pay for one? The answer is that with paid certificates you have better liability protection in the event that your site security is breached. This means that in the event of a data breach, you are insured based on your warranty level.
Why No Longer An Option
The obvious reason why a website should set up SSL is that you want to provide a secure environment in which you interact with website visitors. You want to provide an environment in which your visitors can be rest assured that the information they share with the website is secure.
Another reason is that browsers will display your website to be insecure if it does not have SSL. This is just in bad form. It means that visitors to your website will be shown that it is insecure and most will go running when they see this and you will lose out on visitors.
A website that is displayed as insecure in the browser is unprofessional and bad for business. When visitors come to your website, they need to be assured that they are in a secure environment and having SSL goes a long way to ensuring this.
Furthermore, not having SSL is bad for Search Engine Optimization. Google and other search engines will rank an SSL enabled site higher than a site without SSL even if the two sites may rank the same without considering SSL.
By all means, having SSL should not be an option for a website. It makes communications secure, promotes trust with users and you can get it free hence there should be no excuse why a website should not implement SSL.