Categories
Security

Moving to a Secure Website

From the beginning of the internet the protocol used to communicate has been HTTP(Hypertext transfer protocol).  Unfortunately HTTP allows data to be viewed in plain text when sent across the wire. This means that websites are vulnerable to attacks which intercept and manipulate data. One type of attack is called Man in the Middle where two parties are having their communication intercepted, stolen or altered.  Another kind of attack is content injection. This means malicious code, ads or other content can make its way onto your website without your consent.

To combat this SSL(Secure Sockets Layer) was created. HTTPS signals the browser to use an added encryption layer to protect the traffic. As SSL evolved it was replaced by TLS or Transport Layer Security. Both accomplish the same goal, TLS is just a more secure way of encrypting that information. HTTPS is a secure protocol for communication over the Internet.

ssl-layers

The dominant browsers Firefox Mozilla, Google Chrome, Apple Safari and Microsoft Edge want the entire internet to move to HTTPS.

As far back as 2014 Google announced that HTTPS would become an SEO ranking signal. Since the beginning of 2017 the browsers have been actively changing their UI to better inform users about connection security.  The green padlock on the address bar indicates that you are running SSL.

Green Padlock

Another advantage of switching to SSL is that HTTPS is actually much faster than HTTP. Check out HTTPvsHTTPS.com. Upon running the test three times on our 100 Mbps connection the site loaded 82% faster using the HTTPS protocol than it did via the HTTP protocol.

Types of SSL Certificate

What type of SSL/TLS certificate is right for you?

There are three basic types of SSL/TLS certificate:

  • Domain Validation
  • Organization Validation
  • Extended Validation

All three offer the same level of encryption, the difference is in the identification.

Domain Validation certificates simply require you to prove ownership over the domain and you can encrypt. Let’s Encrypt offer free Domain Validation certificates that are valid for 90 days. They automatically renew but there may be a small window when you are not protected. On Digital Pacific the shared hosting package offers this certificate on WordPress sites using the following procedure :

https://support.digitalpacific.com.au/en/knowledgebase/article/wordpress-enable-and-force-ssl

Organization Validation SSL/TLS certificates offer a degree of business authentication. The Certificate Authority that’s issuing it will vet your company to ensure that it is legitimate. These certificates are good for larger enterprise businesses that already have outstanding reputations.

The top-of-the-line SSL/TLS certificates are Extended Validation. These require the most vetting but also unlock the most obvious visual indicators – a green address bar with your organization’s name in it. These certificates offer an ideal level of business authentication, come with the best trust seals – another visual indicator of SSL encryption.

Mobile Security with HTTPS

HTTPS also protects traffic on mobile devices. The vast majority of SSL/TLS certificates are mobile friendly, meaning that once it has been added to your server you’re good to go on mobile devices.

But what about apps? Well, both Apple and Google, two of the leaders in the mobile phone industry, are pushing mobile apps towards encryption by default. Apple has App Transport Security on its iOS, while Google has the usesCleartextTraffic manifest attribute on Android. Apple’s ATS is pushing towards encryption a little harder as its default setting is to have encryption on, while on the Android platform it’s not. But both are making a clear indication that HTTPS is becoming the standard.

Leave a Reply

Your email address will not be published. Required fields are marked *