HTTPS and Website Security

HTTPS and Website SecurityIs your website secure? Most online shoppers today are aware of the importance of safe and secure e-commerce and internet browsing, and they know to look for that easily recognizable address bar padlock and green-shaded address bar signifying HTTPS (Hypertext Transfer Protocol Secure). When browsing the internet, it is comforting to know that data shared while making purchases is encrypted and safe from hackers and others wishing to capture data. So what sites need HTTPS? Websites that run any type of e-commerce, and collect personal or financial information absolutely need SSL/TLS encryption.

It all boils down to trust.  Do website visitors trust your site enough to visit it, give you their information and/or place an order? According to a survey conducted by GlobalSign:

  • 75% of website visitors are aware of security risks when visiting a website.
  • 77% of website visitors are concerned that their personal data could be intercepted or misused online.
  • 55% worry about identity theft on the internet.
  • 29% of customers look for the green bar before making a purchase or releasing sensitive information.

Using HTTPS and either and SSL or TLS Certificate with its lock icon or green bar increases the chance that a website visitor will trust your business.  And, increased trust leads to increased leads and sales.

There are two types of encrypted HTTPS used today — SSL and TLS. Many times they are both referred to as SSL, but there are differences between the two.

What is SSL?

Secure Sockets Layer, one of the most common security protocols today, allows website owners to encrypt sensitive information like credit card numbers, passwords and personal identifying information, when it is sent from a site visitor’s computer to the business owner’s server. SSL is necessary because information sent from computer to computer is usually in a format that anyone can see and understand. But with SSL, that information is sent in a way that only the intended recipient can access. Sending information without SSL is like walking down a busy street wearing a t-shirt with your credit card number printed on it, or mailing a letter with your bank account number written on the outside of the envelope, along with your name, address and birthdate. If that information was public, anyone could do whatever they wanted with that it! But SSL makes it so that personal information isn’t “readable” by anyone other than the intended recipient. This protects online customers from hackers and identity thieves.

What is TLS?

Transport Layer Security, like SSL, provides secure communications for email, data transfers and other sensitive information. TLS will be the successor of SSL. This is because the Payment Card Industry (PCI) Security Standards Council has mandated the migration from SSL to TLS for sites to be completed by June 30, 2018. There are minor differences between SSL 3.0 and TLS 1.0, but the protocol remains similar. Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients. When a server and client communicate, TLS protocol ensures that third parties cannot eavesdrop, tamper with any message or forge a message.

Does my company need HTTPS?

Companies with any type of e-commerce that collect private data, including credit card information, need HTTPS. Customers expect companies to protect their personal information (especially since big fiascos like Target). In fact, your business’ reputation counts on you taking the necessary steps to ensure a safe online transaction with your customers.

Websites that include a login form should also have HTTPS, this is for two main reasons. First, a hacker could steal the login information and impersonate a site visitor, but more importantly, potentially gain access to your visitors’ logins for other sites, since many people use the same usernames and passwords on multiple sites.

Social media sites also often make use of HTTPS to protect the information shared by users on those sites.

In addition to protecting sensitive information, SSL/TLS certificates increase your Google rankings, build customer trust and improve conversion rates.

What is an SSL/TLS Certificate?

SSL/TLS Certificates are data files that once downloaded and properly configured on a web server will initiate secure connections between website visitors and the site. Here is where it gets a little complicated. In addition to encrypting information, a proper certificate provides authentication ensuring that the information gets delivered to the right server and not a hacker’s server. SSL/TLS connections are set up using two pieces of data: a public key and a private key. The public key allows anyone to send information but it can only be opened with the private key. The public key identifies the server and the owner of the certificate (the business/organization name and location).

What is a Certificate Authority?

Certificate Authorities, issue SSL/TLS certificates to companies that have gone through verification checks. Certificate Authorities are trusted providers that issue digital certificates to organizations and individuals. The certificate authority verifies an organization’s credentials and certifies that they are who they claim to be, and will sign its public key. These providers are third-party audited and verified by web browser manufacturers, who are essentially letting web users browse safely, knowing that the certificate authority has properly checked out the organization. Each certificate authority offers their own products, prices, features, etc. There are different types of certificates with varying features and levels of assurances, requiring different levels of validation. Shared certificates are available for sites that need a relatively low level of security, however, those do not provide as much assurance to visitors because it will not include your business name and may display a warning to visitors.

Is it REALLY secure?

Could all of this be futile, since we now know that SSL can be cracked, following the 2013 Edward Snowden disclosure that the U.S. National Security Agency had secretly developed the ability to break or circumvent Internet encryption and has done so? No. We have learned that SSL encryption works, and is really important for protecting consumers. Guidance, recommendations and processes around certificates and encryption have improved, helping to reduce the likelihood and impact of a compromise of consumer data. It’s your best defense against criminals. With more and more sites starting to move to TLS, security is even better.

How does having HTTPS improve Google rankings?

On April 1, 2011 (no fooling), Google announced that they would start to crawl, index and store data about SSL certificates they found on the web.  Three years later on June 16, 2014, Google called for HTTPS Everywhere.  Following that on August 6, 2014, Google announced that HTTPS would be a ranking factor in search engine results. Having HTTPS will give your site small ranking benefit or boost. Currently, this is a small boost as it carries much less weight than other signals such as high-quality content. However, Google alludes to the fact that they might decide to increase the strength of this signal in the future to keep everyone safe on the web.  Google updated Google Webmaster Tools to better handle HTTPS for sites and reporting on HTTPS.  Make sure that your move from HTTP to HTTPS is implemented correctly. Avoid the noindex robots meta tag and allow pages to be indexed by the search engines when possible.

Do you have questions about HTTPS, SSL or TLS? Does your company’s website need to be secure? We install HTTPS on just about every site we build today; so contact mRELEVANCE to learn more about whether or not you need it, what type of certificate you need and more.