SSL should be a minimum requirement for any cyber security strategy
SSL isn’t just a smart decision when you’re beginning to come up with a cyber security strategy for your website—it’s actually a requirement.
That’s right, before we get into the actual merits of having encryption, we’ll start with the fact that in 2017 SSL will actually become a requirement for all websites.
You see, the browser community is situated perfectly within the burgeoning internet market to implement changes that affect the entire industry. Think about it, you can’t navigate the worldwide web without browsers—they are an integral part of the internet ecosystem.
And the browser community is acutely aware of this, which is why it will occasionally act in unison to push a certain initiative. For instance, it’s now decided to make encryption a baseline security standard.
Up to this point the browsers have done this in subtle ways. Rather than force anyone to do anything, they have rewarded sites that implement SSL with advanced browser features, SEO ranking boosts and access to HTTP/2. In 2017, the browsers will stop being so polite. From now on, they will actively mark any site without encryption as “Not Secure.”
And that will seem subtle by the middle of 2017 when the browsers start implementing intrusive warnings about unencrypted sites that will actively deter users from visiting them. Sure, Google and Mozilla aren’t putting a gun to anyone’s head to force them to encrypt—they’re just threatening to put those sites out of business. Imagine what negative visual indicators and obstructive browser warnings are going to do those sites’ traffic—and by extension their conversion rates.
So, even without officially coming out and mandating it, SSL is now a de facto requirement.
But even if you don’t like having your arm twisted – who does? – there are still plenty of good reasons you should already be using encryption despite what the browsers say.
Let’s take a look at what encryption is and what it does, then answer why you need it.
What is Encryption?
Encryption is a process wherein, using PKI and the SSL/TLS protocol, communication is encoded in such a way that only an authorized party can decode it.
The reason this is necessary stems from the way the internet was initially built using the HTTP protocol. HTTP, or Hypertext Transfer Protocol, is about as old as the internet. It’s the communication protocol that allows web servers and web browsers to communicate and display information in the intended way. When you visit a site, it doesn’t exist the way it looks in your browser. Rather, it exists as a bunch of code that is sent to your browser and then arranged visually as the designer intended.
The problem with HTTP is that it’s not secure. So anyone that knows how (which is a group that includes hackers and cybercriminals) can essentially spy on any HTTP connection on the internet. In laymen’s terms, that means over HTTP a third-party can readily read and manipulate the communication between clients and servers.
It doesn’t take a rocket scientist to figure out why that’s not a great setup.
Encryption takes care of this by serving websites over HTTPS, the secure version of HTTP. Connections over HTTPS are encrypted, meaning the communication exchanged over them is secure. This prevents spying by third parties. If you’re doing business online, meaning you’re taking personal or financial data from customers, you obviously NEED encryption or else you’re putting your customers at risk.
How Does Encryption Work?
We will spare you the really technical details and instead just give you a cursory explanation of how encryption works. It starts when a browser reaches a website with an SSL Certificate installed.
The browser and the web server then proceed with what is called an SSL Handshake. In the early stages the browser is verifying that the certificate is legitimate—meaning that it was issued by a trust Certificate Authority, that it’s still valid and that it belongs to the site that it’s being displayed on.
After the browser verifies that the certificate is legitimate, it negotiates the terms of an encrypted connection with the web server.
Now, there are two key pairs that come up when you talk about encryption. The first is an asymmetric key pair: the public and private key. These aren’t the keys that actually handle the bulk of the encryption, rather they’re for authentication. When the browser is testing the legitimacy of the SSL Certificate, one of the things it does is checks to make sure that the SSL Certificate in question is the rightful owner of the public key. It does this by using the public key to encrypt a small throwaway packet of information. If the server can then use the corresponding private key to decrypt that information and send it back, then it has proven that it is the rightful owner of the public key and everything checks out.
If not, the certificate is considered “not trusted.”
The other key pair is symmetric, the “Session keys.” These keys are created after the legitimacy of the SSL Certificate has been established and the terms of encryption have been negotiated. Whereas a public key can only encrypt and a private key can only decrypt, session keys can perform both functions.
Session keys are actually smaller, and by extension less secure, than their asymmetric counterparts, but for the sake of the encrypted connection they will be facilitating—they are still plenty strong enough.
The browser and server will use the session keys to communicate for the rest of their visit. Upon leaving the site, the session keys are discarded and a new session key is generated the next time the browser visits.
Why Do I Need Encryption?
In the past it was widely assumed that only websites that deal in personal information need encryption.
This is false.
On top of now being required, even small websites that don’t collect any information should be encrypted. Why? Well, beyond basic good security practices, there’s the tiny detail of your back-end access. You see, even if your visitors don’t sign into your site—you still do. You likely have a control panel or some kind of back end login that allows you to make changes on your website. Shouldn’t this be secured? Otherwise, anyone can easily steal your credentials and mess with your website.
Sure, maybe the worst anyone would do is sneak on and load a picture of a phallus on your homepage. But still, a little security could have prevented this. Why let it happen?
Beyond that, any business or organization that owns a website should have encryption for both security and to authenticate itself as a legitimate company. After all, in an upcoming era where every site has encryption, it will be more important than ever to stand out.
Look, SSL is relatively inexpensive and it goes a long way towards protecting your website and your customers. It builds trust. It can even increase conversions.
The internet can be a treacherous place; SSL Encryption makes it a little safer.
There’s just no way around it. You need encryption.