We have been hearing this from some of our clients for a little while now. There also seems to be a lot of scare-mongering and overblown commentary being bandied around at the moment, some of it being inappropriately linked to GDPR as well. Although the following is a little long it will hopefully bring a little perspective to the issue.
Earlier in the year Google started putting a small message into the Address bar on its Chrome browser when it came across the password field of a website login form if the site didn’t have an SSL certificate. In the past few weeks Google has also started to display a similar type of message for many other types of website forms, again if the site doesn’t have an SSL certificate. They have also indicated that from December they will be marking all websites without an SSL certificate as unsafe. They are promoting this as a drive to enhance website security and, across the whole of the web, they may well have a point.
SSL certificates are not a new thing, they have been around for years, essentially, they are the visible ‘padlock’ one see’s on an online shopping site. They work by making sure the data sent from your PC to a website server and back again is encrypted and if that data contains your credit card number or online banking login then this is obviously a good thing. In general, they won’t provide a massive security boost for a lot of websites as the type of data theft they are designed to protect against isn’t in practice very easy to achieve and to be worth the risk for the criminal, needs to have a valuable target.
The commonest attack that an SSL certificate will protect against is when an attacker sets up a fake Wi-Fi hotspot in a hotel lobby, airport lounge or similar public space which is designed to appear as the official hotspot. People sign up to the wrong one and the attacker can then intercept their traffic as it passes through the spoof hotspot. In this situation the attacker is looking for credit card, banking and other high value data and an SSL certificate helps to protect data as it is encrypted when it passes through the spoof hotspot and is thus difficult to read.
For most website owners the main reason to add an SSL certificate to their site will be a threat to the sites reputation rather than adding a significant boost to the sites security. At present only Google is taking this next step to mark all sites without SSL as unsafe but it is very likely that the other browsers will follow suit at some point. It is also worth noting that Google are indicating that the lack of an SSL certificate will impact on search rankings and for some owners this will also be a significant driver.
SSL certificates come in a number of ‘types’ and with a range of costs, in general the cost is driven by the reputation of the organisation issuing the certificate, called the signing authority. A simple SSL certificate from a reputable source should be in the region of £50 - £75 and could need an hour or two of someone’s time to set up and install. The certificate is tied to the sites domain name and if your site has multiple domain names or uses sub domains then the SSL certificate could be more expensive.
Some site hosting setups provide free or very cheap SSL certificates; however, you should be careful that they are not simply ‘self-signed’ by someone who is not on the main browsers trusted lists. In these situations, the data may well be encrypted but the reputational loss will continue as browsers will continue to label the website as unsafe. Earlier this year Google removed some quite well-known names from its trusted certificate authorities list, Thawte, Verisign, Equifax and others because it had lost faith in the trustworthiness of their reputation.
In conclusion, the time is almost certainly right for most, if not all, website owners to move to having an SSL Certificate for their website(s). Those who have a specific security need will almost certainly already have a certificate. For those now contemplating it the main reason will be to mitigate the reputational risk of having their site labelled as unsafe, initially by the Chrome browser but in time by all browsers. Your IT team, web development company or hosting provider will be the people to approach.
If you would like to talk to the 101 team about the security of your website, please call us on 01603 858250.
By Roger Sutton