Website Security – SSL Is Not Enough

Article Header Image

The Need for Common-Sense Website Security

If everything we knew about hackers, ransomware, identity theft, and website security was limited to reports from the major media, no one would ever build a website again. Yes, the internet landscape has its dangers. But the truth of the matter is that the real risk to the vast majority of the websites out there is that they have not been well-maintained, are out of date, or have not implemented basic security measures.

Let’s be clear – if a professional, high-level hacker or foreign intelligence organization is trying to break into your website or server and access your data, protecting against that kind of potential threat takes a great deal of sophistication. We’ve successfully set up highly secure sites for larger enterprises and we know what it takes. But high-level hackers are the rarity, and they tend to target major institutions.

The risk to the overwhelming majority of small-to-medium sized business websites is that resources are allocated to creating and maintaining design, content, and SEO, while much less effort is dedicated to creating and maintaining website security over time. Operating systems, CMS platforms, add-ons and plugins, and firewall rules are left unpatched and without updates.

Website Security Protects Everyone

Another problem is that many companies perceive website security as a form of self-protection. Certainly, if your website is down or compromised it can hurt your business and expose your company data. But we think that everyone should think of website security as something more than that.

Companies spend a lot of money and time on marketing and SEO to invite customers to visit their websites. To be effective, that visit needs to be a trusted, secure interaction between you and your customer. Taking basic security precautions protects you and your customer by making sure that no one is listening in or interfering with that interaction.

In the world of website development and security, SSL (Secure Socket Layer) has been getting a lot of attention this year. And with good reason. Not only is the internet threat environment as risky as ever, but the major browser and search engine companies have been taking active and dramatic steps to push everyone into better security protocols.

Website owners and companies that have been security complacent for years have been pushed into implementing more and better SSL solutions by the big tech giants. When big companies use their market power to stifle competition or monopolize pricing, that’s a bad thing. But when they are forcing other companies to make the internet a safer place, that’s not so bad.

What is SSL

SSL is a secure, two-way encryption method that ensures that the two parties – the site visitor and the website itself – are the only ones participating in the conversation. The privacy of this conversation is ensured by a trusted, neutral third party – the Certificate Authority (CA).

The website owner acquires an SSL certificate from the CA. When a site visitor arrives at the site, a verification request is made to the CA as well. The CA sends a confirmation of that signal at the same time, verifying that the certificate presented by that website is valid. The visitor’s browser and the website then share a special encryption key with each other so that the data bits flying back and forth between them cannot be read by anyone else.

This is especially important when users are entering passwords or personal information on a site. It is those bits of data containing sensitive information that the bad-guys of the internet want to get their hands on.

Implementing SSL is easier and less expensive than ever before. There are even new, community-support projects offering SSL certificates at little or no cost – we even wrote about one of those in our last blog post. Surprisingly, the majority of websites still have not implemented this most basic security measure. Many more have not fully implemented SSL, or have done so improperly. Proper SSL implementation is the starting point best practice of website security, but it is not enough.

Why SSL Is Not Enough

Unfortunately, all of the attention on SSL has started to create the false impression that simple implementing SSL makes a site safe. After all, when SSL is implemented, a browser indicates that the site is safe by making a small lock icon appear near the URL, turning the URL green, and adding an “s” to the “https” part of the URL. So everything must be good, right?

Not really. SSL is great, but it is simply not enough. The interception the data packets flowing between visitor and website is only one way internet criminals gain access to sensitive information.

If SSL has not been properly implemented, some content on a site may NOT covered by the encryption expected. So even though the browser is indicating a secure connection, some of the interactions may not be secure or encrypted at all. There are also potential exploits that can endanger this data exchange. Examples include:

  • MIME mis-matches
  • Cross-site Scripting
  • Clickjacking

All of these are well-known methods used by internet bad-actors to extract information being exchanged between websites and users. But all of these can be effectively defended against using a relatively simple website security best practices.

SSL and Website Security Best Practices

At IowaComputerGurus, we strongly agree that website security is one of the most important priorities of the day. We have created a special white paper to help website owners, administrators, and other developers understand website security best practices. You can find this free white paper – “SSL Implementation and Website Security Best Practices” – on our White Paper Resources page:

If you have questions about any aspect of website security, want specific recommendations to implement SSL and security best practices on a website, or need assistance with implementation, contact us and we’ll be happy to help.