Would you leave your window open at night if you knew there were intruders lurking about? Obviously the answer to this question is ‘no’. Many companies and individuals leave their virtual window open to cyber criminals by not adequately protecting their websites. Website security is an extremely important topic. Only by regularly carrying out security checks and following the proper precautions...
Around the world, data espionage is a serious problem for both international authorities as well as consumers. Internet security is occupying an increasingly central role for both businesses and individuals. Without a doubt, the Information Age has substantially affected the way we interact with one another on both a private and professional basis. In-house communication, customer data, and other sensitive information build up some of the most vital nuts and bolts of this infrastructure, and protocols like SSL and HTTPS are vital for ensuring their secure management. But what exactly do these terms mean and how does one go about implementing security protocols for a web presence?
What is SSL?
The term SSL (short for ‘secure socket layer’) describes a technique for encrypting and authenticating data traffic on the internet. With regard to websites, the transfer between the browser and webserver is secured. Especially when it comes to e-commerce, where confidential and sensitive information is routinely transferred between different parties, using an SSL certificate or a TLS (‘transport layer security’) is simply unavoidable.
Here are some examples of types of sensitive data that should be protected with SSL encryption:
- Registration data: names, addresses, e-mail addresses, telephone numbers
- Login data: e-mail addresses and passwords
- Payment information: credit card numbers, bank details
- Data entry forms
- Customer documents
Using SSL helps keep communication safe from those looking to snoop into or manipulate personal data.
What is HTTPS?
HTTPS (‘hypertext transport protocol secure’) is the protocol used for secure data transfer, whereas HTTP refers to the non-secured variant. With HTTP websites, all transferred data can potentially be read or changed by attackers, and users can never really be certain whether their credit card data has been sent to the intended online vendor or a hacker. HTTPS, or SSL, encrypts HTTP data and verifies the authenticity of requests. This process takes place via the SSL certificate or the more sophisticated TLS certificate. Most experts agree that TLS should be used in place of SSL.
The advantages of using SSL/TLS and HTTPS at a glance:
Converting websites to SSL and HTTPS
Developers have the option of configuring an SSL encryption for newly developed websites, and there are even options available for changing older pages to HTTPS. The first step involves acquiring the SSL certificate for the corresponding domain.
Obtaining the SSL certificate
An SSL certificate is a kind of website ID obtained through an official certification authority, or CA. The CA’s responsibilities include confirming the certificate’s identity as well as vouching for its authenticity. SSL certificates are deposited on the server and accessed whenever a website with HTTPS is visited. There are different kinds of server certificates that vary in their identification:
- Certificates verified by domain validation (DV):
These certificates have the lowest authentication level. For this measure, CA only checks whether the applicant owns the domain for which the certificate is to be issued. Company information is not checked during this process, which is why some residual risk remains with domain validations. Because there is only one factor that needs to be verified, certificates are normally set up quickly by the CA, making it the least expensive of the three SSL certificate types.
Certificates with domain validations are best suited to websites that rely less on their security reputations and are known for being free of fraudsters or phishing schemers.
- Certificates verified by organization validation (OV):
This kind of validation provides more comprehensive authentication. In addition to domain ownership, the CA examines relevant information, such as company filings. Information that has been vetted by the CA is accessible to website visitors, which boosts the site’s transparency. The somewhat demanding nature of this certificate means that it can take longer and be more expensive to issue this kind of SSL certificate. What users gain, however, is a higher level of security.
This certificate is best suited to websites where low-level security transactions take place.
- Certificate verified by extended validation (EV):
This certificate has the highest and most extensive authentication level. In contrast to certificates verified by organization validation, this process requires company information to be even more thoroughly scrutinized. What’s more, this certificate is only issued by CAs authorized to do so. This exhaustive review of the company achieves the highest security level of any certificate and additionally increases the website’s credibility. Following this, this certificate is also the most cost-intensive of the three.
This certificate is ideal for websites that deal with credit card information or other sensitive data.
In the following infographic you can check which certificate is suitable for your website:
Installation and configuration
The next step is to install the SSL certificate on the server. Hosting providers often take care of this step. The customer area of the provider’s site often allow users to directly apply for the required certificate, which is then added by the provider. As a 1&1 IONOS customer, you can easily add an SSL certificate to your existing webhosting package by following the steps in the control center. For many packages the certificate is also included and installation varies depending on the provider. Generally, providers or certificate vendors supply the corresponding installation guides. The following points are essential for a seamless installation:
- Correct certificates
- Proper encryption
- Appropriate server configuration
Mistakes and problems when converting
Some mistakes should be avoided when converting a web presence. Heeding this advice can save you the trouble of having to deal with ranking losses or unavailable sites.
Website owners wishing to convert their sites to SSL and HTTPS should therefore:
- Avoid expired certificates: an invalid or expired SSL certificate can lead to warning messages appearing in the browser window. This sends the wrong message to the user and can potentially reduce website traffic.
- Setting up the correct redirect: avoiding duplicate content requires the webmaster to use the .htaccess trick-301redirect. Doing this helps search engines avoid the pitfall of evaluating the HTTP site and the HTTPS site as two different websites and expecting different content from them in the process.
- Aligning advertising accounts (Google AdWords, Bing Ads etc.): embedding unencrypted content (pictures, script, etc.) into an HTTPS site causes a warning message to appear when the user accesses the website, which can unnerve them. This can particularly lead to trouble when placing ads, as most advertisements are dispatched in unencrypted forms, making it all the more important to ensure that your accounts have been properly aligned.
- Converting Webmaster Tools and Google Analytics: in theory, HTTP and the HTTPS version are actually two different websites; this is why the HTTPS variant also needs to be registered in the Webmaster Tool.
- Updating XML Sitemaps: the sitemap also needs to be updated and recorded in the Webmaster Tool.
- Checking external and internal links: Even though 301 redirects may prevent corrupted links, all internal links should still be changed after converting to the HTTPS protocol. Depending on how the content is added to the CMS, carrying out this step manually may be an unavoidable chore. For external links, it’s best to adjust the most important links (e.g. those with significant page authority) to the new HTTPS address.
How are sites inspected for valid certificates?
Websites that are encrypted with a valid SSL certificate can be recognized as such by their URL:
The ‘s’ in the URL’s HTTP protocol stands for ‘secure’ and notifies users that the site is encrypted with an SSL certificate. Depending on the type of the certificate, there are also other visual cues that refer to secure encryptions:
With the free SSL check from 1&1, all it takes is one click and you can check whether your current SSL certificate is correctly installed and your website is protected against attacks.
Increased trust with secure business websites
In addition to the abovementioned advantages of SSL encryption, users’ increased trust of a company’s website, and ultimately of the company itself, proves a compelling argument for setting up a secure site.
Jeff Barto, Trust Strategist at Symantec, explains just how important web trust is and what implications it has on users’ increasingly high web security expectations.
Never more has trust been more important on the web in the business-to-business context as well as in a business-consumer context. In the SSL and TLS industry there is an assumption that it´s all about encryption and often people forget about the second function of SSL, which is not encryption as much as validation.
What this effectively means is: Am I on the site I think I am, is this the business I expect to be transacting with and effectively am I safe here? This is what really is on consumer´s – and everybody´s minds these days. When we stopped working, when we put down our calling cards or badges at the end of the day we are consumers likewise and stop and think about all the different sites that you go to when you do your banking, your e-mails or when you go on a social-media site. There are certain indicators of trustworthiness that you come to expect. That´s not much of a surprise, given the environment that´s going on in the world.
It seems like there is a breach or a compromise every single day, almost as if every organization out there thinks not will I be next it’s when I’m next?
That´s a sad state for us to be in, but also for us consumers and people who are using the web. It sets up a situation where we have become very weary of the places that we go, but we also thirst and hunger for expressions of trustworthiness, privacy and security. That said, there are some recommendations that any business can take to express that trustworthiness that a customer really is on the site that they think. It´s really that business and everything is going to legitimate that transcends the idea of encryption which is just making the information private.
In the following video, Jeff recommends three concrete steps on what companies can do to fulfill users’ rising website security expectations.
There are three recommendations that I’d like to make:
First one is that consumers are used to seeing trust seals. These are the little indicators that you see in the corners of websites, next to a purchase button or at the end of an experience that says, this has been validated to be actually this business, that there are no viruses here or that their privacy standards are up to date.
The second thing that we would like to recommend is the adoption at the Extended Validation SSL Certificates (EV Certificate).
Aside from (trust) seals and the Extended Validation SSL Certificate there is a third factor, that is, what we call, Always On SSL. This means the encryption of the entire website. As I said in the beginning, there is more to security and trust than just encryption. There´s the validation which works with those other two recommendations I made.
- Integrate trust seals into the website
Trust seals are one of the most common indicators of a site’s credibility. For example, different seals can guarantee data security, secure payment, or confirm that a site is free of malware
- Add SSL certificates with high security levels
Certificates with a high level of security increase trust and give users a visual cue of a site’s security directly in the browser bar
- ‘Always on SSL’
The SSL certificate should be displayed on all of a domain’s subpages, not just on the login page or in the shopping cart. Doing this provides better protection to users throughout the entirety of their visit
HTTPS and SEO
It’s been discussed over the last few years whether or not converting a website to HTTPS has a positive effect on search engine rankings. Google announced in 2014 that it will positively rate sites with a secure connection via HTTPS. Google justified its decision by claiming that it wants to make the internet more secure by prompting website owners to encrypt their sites without exception. According to official statements by the search engine giant, all websites that are not encrypted will be marked with a red ‘X’ in the Chrome browser. To date, HTTP sites have always been shown as white, while HTTPS have been labeled with a green padlock. Following this move, HTTPS is to be standardized for all websites.
Regardless of the Google’s plans, using HTTPS sends a message of quality and professionalism to visitors. Internet users are becoming more aware of some of the finer points on the topic of data security, meaning that even laypeople are able to recognize if a site is secure or not.