Website Security – Why You Should Add SSL To Everything

12
Jan

So, I have a bit of an interest in computers and security. Also, as some of you may know I work for a large global payment card brand and have been involved in security and encryption as part of the roles I’ve played. I’m writing this item for the webmasters and those involved with cars shows and card club websites and the need to revisit the security you use and the use of Secure Socket Layer (SSL)/Transport Layer Security (TLS) encryption and certificates on your websites. This is intended to be a more detailed version of an article that will be published in a future edition of The MG Driver magazine covering website security and SSL.

To get past the TL;DR (Too Long, Didn’t Read) factor here’s the quick scoop:

You need to implement SSL certificates on your website(s) to enable encryption and validation of sessions between your users/visitors and your website,

You need to do this:
(1) Protect the private information of your users/members (i.e. – their name, address, phone number, their car details, etc)
(2) to give your users increased security and confidence that they are connected to your real site and not a fake and
(3) because if you don’t Google are going to shame you into doing it by using “in your users’ faces” flagging of sites not using SSL as “Not Secure” in red text and a warning symbol making people not want to use your site.

So, there’s the speed-read version. Here’s a little more detail.

Data Protection

As I look at various club sites and event sites, I have noticed that many seem quite happy to collect all the contact information, like name, address, phone and email via the website using non-secure http pages. That data is transmitted in the clear, unencrypted between the user’s browser and the site and then there’s a re-direct, usually to PayPal, which is secure, for the payment transaction. I’d suggest that you really should be protecting all the contact info and doing that via SSL as well. There seems to be a view that unless it’s payment info, SSL encryption is not needed. In this day and age of hacks, surveillance and government snooping do you really want your user’s data moving around the web for all to see like it would be on a postcard sent via the regular mail?

So, for me data protection is just one reason that SSL should be implemented and this applies to things like your contact forms and registration forms. If you have sites that allow login creation/registration and then a subsequent login page, and these are also not protected with SSL then I’d suggest an urgent rethink of that as well. Do you really want user IDs and passwords being created/used/transmitted unprotected? Would you accept that from an online store or even say your library account? Probably not. So for me data protection is one aspect and rather than adding SSL to some pages, you may as well make your entire site use SSL and all pages delivered using https connections.

Site Integrity

This is another simple reason for adding SSL but it is the best thing we have to let your users know they are really on your site and not a fake site. Sure the potential of someone creating a fake car club or car show web site is a lot smaller than the daily attempts I see to get me to login to fake PayPal and Banking sites but it is still there. By setting up your site with SSL you remove potential and give your users some reassurance with the green padlock symbol, that they are where they thought they would be.

That is one of the reasons we implemented the EV (Extended Validation) SSL on the main NAMGBR site, https://namgbr.org. An EV SSL certificate absolutely ensures that a so-called Man-in-The-Middle (MiTM) attack cannot happen – if you see the green “North American MGB Register” label in front of the website page URL then you know with certainty you are connected to the NAMGBR site. Not even the corporate network proxy SSL servers, that are setup to allow monitoring of say personal email or social networking sites by the company when you’re at work using the work network and are “bridging” SSL connections, can get around the EV SSL security. Now, EV SSL is neither free or simple to get, however it was implemented on NAMGBR’s main site given the volume and value of renewals and regalia sales done on the site – it’s a good security investment for us.

NAMGBR EV SSL

The NAMGBR EV SSL Validation Information Shown in Chrome, Firefox and IE 11 (top to bottom)

Google Is Going To Shame You To Do It

Google already announced some time ago that they would start to use whether a site was SSL protected or not as a factor in their search engine ranking. It is a small part currently but likely to take on more significance over time.

After various revelations of state hacking and monitoring, many companies have moved quickly to add encryption to just about everything they can. Google has defined a roadmap for their Chrome browser, to increasingly get more aggressive in their flagging of insecure or non-SSL/https encrypted sites – simply see their blog post.

Non SSL Chrome

The eventual way Chrome will flag all non-SSL pages

Eventually, any site that doesn’t use SSL is going to see a red warning sign and “Not Secure” in red text right in front to the URL/web address as shown in the image. Something that’s not likely to inspire confidence in your website in general day-to-day use and certainly not on pages where users are entering their contact information or, heaven forbid, a user name and password.

Other browsers are also looking at this although I have not seen anything as aggressive as Google’s approach with Chrome. The image used is taken from the Google blog I have referenced above and I am pretty sure no one will want to see that symbol and Not Secure in front of their domain name.

This Is Hard & Expensive, Isn’t It? Not Necessarily.

It’s true that getting an SSL certificate working on a web site was not a lot of fun for the likely car enthusiast that did some PC and web stuff as a hobby to get away from cross-threaded bolts or dealing with rust as one of the strongest bonding agents known to man.

MG 2017 Let's Encrypt

MG 2017 SSL Certificate Details – Issued by Let’s Encrypt

However, things have been changing and one of the biggest drivers of change has been the Let’s Encrypt initiative and the backers of that initiative. Their goal was to make it possible for everything to be encrypted and every site to have an SSL certificate and they have created tools and resources to do just that and the certificates are free! We’re using a webhost that supports the use of Let’s Encrypt SSL certificates for the MG 2017 and subsequent MG 2018 annual convention websites.

So, in conclusion there are many reasons to take a look at this. Since I have been following this since doing the MG 2014 annual convention website, I have been lucky to be aware of the changes and options. It’s actually easier if you have SSL to make the entire site use SSL than to bounce back and forth – and with Google search ranking becoming a factor it made the decision simple. There’s no doubt work to be done and even with an SSL certificate you will have to do a lot of work on an existing to get all the content secure – but it will be worth it in the end – Simon.

Resources

Web hosting services that support Let’s Encrypt – click this link

Information about Man-in-The-Middle Attacks and EV SSL – article by Eric Diehl

Myth busting video from Google about the impacts of adding SSL

HTTP to HTTPS: An SEO’s guide to securing a website – a useful overview