Inspiring Awesome Security Confidence, A Series Starting With HTTPS
In the Internet Age, it seems like every second a new website is being created. With tools like Squarespace, Wix, Weebly, Shopify, WordPress and so many more making it easier every day to get a full website and e-commerce shop up and running, we often see a lack of security in many websites. That is why we are starting a series of articles to discuss website security. Through the series, we will touch on what to look for when visiting websites, how to harden your store, and how to apply safe practices for your own store! Follow along to learn more about HTTPS, HSTS, CORS, HTTP Headers more generally, and other practices.
Here, we are going to cover the bare minimum your website should have: having a valid and secure SSL certificate!
What is an SSL Certificate?
In short, a Secure-Socket-Layer (SSL) Certificate is a way to have an independent third party verify your web address. Above all, this verification process ensures a secure encryption communication channel is available. Just the SSL Certificate on it’s own does not do much, but it is an important step in verification. Having this certificate allows for your web servers to communicate to your website visitors securely. This process is now largely independent on your host’s software and the clients software they are browsing with. In order to have the ‘S’ in ‘HTTPS’ for the websites URL, the web server must have this certificate installed correctly!
Ok, but what does this “HTTPS” actually DO for me that implements “security”?
Great question! Without going extremely and in short: communication encryption to prevent a packet sniffing attack. To expand, when someone pings your website, a request is fired. That request comes from the users IP address, attempting to reach your website’s IP. This much is a VERY public request. That is to say, Internet Service Provider and any middle-man to deliver this request can see this. This also includes any wireless router you connect to. Surprisingly, even applies the person sitting in the coffee shop on free wifi with a packet sniffer (this is illegal*). Companies have been shown to employ shady practices with data you pay them to deliver (this is legal?*). *note: I am not a lawyer.
To generate full requests, many “packets” are between user and website. If not on HTTPS, you can assume all the middle-men to your request can read the contents of these packets. It might even be safe to assume all middle-men attempt to read all packets. Within the content of these packets is the communication content. From form submissions (and applicable data), data used to generate web pages and prepopulate forms, and so much more! When you have HTTPS active, these packets seems to become amorphous blobs to these middle-men. The only thing they will be able to see is Person A with IP X.X.X.X is communication to www.theritesites.com.
“If not on HTTPS, you can assume all the middle-men to your request can read the contents of these packets. It might even be safe to assume all middle-men attempt to read all packets.”
Back to my amorphous blob comment, I actually mean the contents are encrypted. Encryption takes in data and through complex math/functions, changes the data. Then, on the receiving end, an inverse equation is used to make the data readable again in a lossless format. Think of it like a secret decoder ring in a cereal box! No reading this ultra secret message without our AWESOME DECODER RING! Your website/server has a series of steps it performs when a user first connects. This includes a long and complex “handshake” — a special handshake of sorts! One where a user gets a unique way of encrypting the data between them and the website!
Into the Weeds – SSL & TLS
SSL is the original terminology for HTTPS. But since technology is always rapidly advancing, we have since gone through many future versions of SSL. These new versions are TLS, or Transport Layer Security! SSL had common versions 1.0, 2.0, 3.0 and TLS has 1.0, 1.1, 1.2, and now, 1.3. The current protocols used to encrypt all website data are SSL and TLS. Colloquially, we still use SSL, paying an homage to the creators of SSL at Netscape.
For a more detailed and deep dive into how TLS encrypts your data, check out our article on TLS Encryption!
What Does an SSL Certificate Get You?
For starters, having a valid SSL Certificate correctly configured on your host server, you can now have the “Padlock” next to your URL in browsers! This lets your visitor’s know they are communicating securely. These secure channels are even more important if you are running an online store. Building trust with customers is an important step in the selling process.
Without trust and security, you may have a hard time finding users willing to share their personal information. An HTTP website should never expect credit card information through a form or otherwise. Acquiring an SSL Cert is one of the easiest steps a site owner can take to help secure their whole website. If a website is without one, that doesn’t inspire confidence that the owners have taken any additional and more complex steps to secure their website. The case so non-debatable that payment processors won’t even let you take payment until you have a verified HTTPSURL.
“If a website is without one, that doesn’t inspire confidence that the owners have taken any additional and more complex steps to secure their website.”
What is the availability of HTTPS?
SSL Certificates are becoming cheaper and easier to get as time goes on. Any Website Host worth their salt is going to supply you with either: an SSL Certificate fully configured, or detailed documentation on how to get the certificate configured on the server. If your host offers neither of these, and HTTPS does not work for your website, run, don’t walk away. If HTTPS is unavailable on your host, I would highly recommend moving to a new host.
HTTPS is such an important aspect of website browsing now that Google actually (partially) determines your search ranking based on whether your website has SSL. Honestly at this point, there is no reason for any website, e-commerce or not, to not have HTTPS enabled everywhere on the website. From all the free services for SSL Certificates, to how much of our lives we individually spend online, we need to start taking security more seriously.
I have a Certificate! Is my website secure?
Realistically, the main point I would like to get across is a website that has no access to HTTPS should never be trusted with ANY information, disregarding the sensitivity. Not having an SSL Certification is a great way to “Reduce Your Consumer Trust To 0 in 1 Easy Step!” — if this was a clickbait article in a parallel universe!
Getting the Certificate is step one on your journey of ensuring your website is safe and secure from people with bad intentions! Keep following our “Tenacious, Rigorous, Secure” Security Series to continue getting tips and tricks for your own website.
Next article: Tenacious, Rigorous, Secure: “HSTS” – The Awesome Yet Strict Security Measure