If security on the internet doesn’t have your attention yet, then you must have spent most of the last couple years in a cave! From the revelations of Edward Snowden in 2013, to the Sony hack in late 2014, and multiple high profile security breaches in between, the news stories about compromised data and privacy have been frequent and serious. Some of these stories involved large governments with huge budgets and elite security specialists. Many of them were the work of an individual.
Now that you are thinking about internet security, you’re probably wondering what you can do to protect your site and visitors. To set the scope of this article, I’m going to assume you are not representing a Fortune 500 company, and you don’t rely on armed guards and attack dogs for your physical security.
The good news is, website encryption is pretty easy, and not expensive. The bad news is, if a large government agency wants in, you probably don’t have the resources to keep them out, just like in the real world.
The Green Padlock
You may have noticed that many sites you visit, such as Facebook, Twitter or Amazon.com have a padlock or HTTPS next to the domain name in your broswer. This indicates that the communication between your computer and their web server is encrypted. This is the first line of defense in web security. It is the common deadbolt of the internet.
Without this encryption, anyone can look at your communication with the website and see it in plain text. That means passwords, email addresses, credit card numbers etc. are easily captured. With it, it is encrypted, and unreadable. But, just like a deadbolt, it is not perfect.
This encryption can be defeated, but it requires specialized equipment and time. If your business interests on the internet are a tempting target to people willing to put this much time, effort and money into compromising, then you will need more than just encryption to protect your properties.
How Does it Work
This is a Non-Nerd explanation, so I’m not going to get into TLS protocol or Public/Private Keys. If you are interested in that aspect, you might want to read the Wikipedia article about HTTPS and SSL.
HTTPS requires a Security Certificate from one of several organizations known as a Certificate Authority (CA). The CA will verify the legitimacy of your organization and website, and provide a Security Certificate that needs to be installed on your web server. There are three levels of verification that all require different amounts of documentation and proof that you are a legitimate person or business.
Once installed, when a user visits HTTPS://[yourwebsite.com] the traffic will be encrypted, and the green padlock in the address bar will be present to indicate a secure connection. The Certificate will be valid for a fixed period of time, usually between 1 and 3 years.
It’s About Trust
In addition to encrypting communications, having a Security Certificate on your website provides an amount of certainty that you are who you say you are. The validation process with a Certificate Authority proves that you are legitimate.
When your certificate expires, your site will still be encrypted. But when a user visits a site with an expired certificate, they will be shown a warning that says the site isn’t trusted. In most browsers it is a big, ominous looking warning too!
If the site is still encrypted, why the warning?
Because the Certificate Authority will no longer vouch for you. You have to re-validate and install a new certificate.
Any security measure, even a simple deadbolt, comes at a cost. Instead of just opening the door, you need to carry your keys and take a second to unlock the door first. Likewise, HTTPS has some associated costs.
First is effort. It takes more work to encrypt your website than it does not to. It isn’t a huge amount of work, but it will take a couple of hours. Depending on the verification level your business requires, it can also take a couple of weeks for the CA to verify you.
Secondly there is money. Again, depending on the level of verification you require, there may be a monetary cost. A level 3 validation may cost $1500, and expires after a couple of years.
Third is site performance. Encrypting and decrypting all the data for your site puts a load on the server and your computer. If your site is large, this could result in a noticeable hit to your performance, especially on low powered devices like budget smart phones.
Is It Worth It?
If your website is dealing with any sort of payments, HTTPS is a must. For at least the payment section of the site, it isn’t even a choice, you payment provider will require it.
For other types of sites, it is less black and white. But here are the reasons why you might want to use HTTPS.
- Google has stated specifically that it is now using HTTPS as a page ranking indicator. That means that sites using HTTPS may get a bump in Google’s search results.
- A small percentage of your users will not trust you with personal data such as email addresses without HTTPS.
- Even if users are sending and receiving seemingly innocuous data, encrypting the communication keeps is private from prying eyes.
Using HTTPS is not the right choice for everyone, but it is the right choice for most. If you’re not sure, call your web developer and discuss it with them. It doesn’t have to cost a lot, and is sometimes free to get a certificate.
Encrypting web traffic keeps communication with your customers private, and makes programs like the NSA’s Prism more difficult to pull off.