SSL Certificates & Website Safety (What You Might Not Know)
Following the release of Google Chrome, it became a dangerously common misconception that websites without an SSL certificate are unsafe- and should likely be avoided.
And while this is true, we often struggle to communicate to our clients that even websites with an SSL certificate alone aren’t actually all that safe either.
SSL certificates fail to come in as a last line of defense for more complex security breaches. While your site certainly needs an SSL certificate- e-commerce or not- there are other safety protocols you have to consider if web safety is a top priority for you.
What is an SSL Certificate?
Secure sockets layer.
That’s what it stands for- a secure sockets layer.
Not a glamorous sounding addition to your website by any means, but these certificates play an important role in data encryption. They quickly became a best practice in website security, for good reason as well. SSL certificates establish an encrypted link between a web server and a browser.
If you don’t want the entire world knowing what you’re sending across the net, you sure do need an SSL certificate.
Where Did The “Not Secure” Warning Come From?
Google and Mozilla are pushing hard for webmasters and the like to adopt HTTPS.
(Don’t worry- we’ll cover HTTPS too.)
At the end of the day, the only way for these Internet mammoths to push HTTPS adoption is by flagging sites that don’t have SSL certificates.
Wait, Wait- HTTPS?
You’ll see the https extension in front of most websites these days.
The web can be a very unsafe place without proper safety protocols, and HTTPS offers the most robust combination of safety certifications to keep your website as secure as possible.
Hypertext Transfer Protocol Secure was built off it’s older counterpart HTTP- Hypertext Transfer Protocol.
The difference between the two? HTTPS uses SSL certificates for data encryption. HTTPS makes online shopping and mobile banking possible- information passed over an HTTPS network is generally not compromised by outsiders.
HTTP speaks more to the way data is communicated between two parties over the Internet. It doesn’t necessarily address the safety of how that is done, just how it’s done in general.
HTTPS is the perfect combo of data communication and data encryption.
Google Will Flag Websites Without SSL Certificates
Rightfully so. Websites without SSL certificates aren’t secure.
Like we said, the world wide web isn’t a safe place these days and website security isn’t really optional anymore.
The proof is in the pudding. The cyber security industry is worth over 241 billion dollars and shows no sign of slowing down.
The “not secure warning” is totally legit.
But don’t assume that https websites are automatically safe- above SSL certificates, there are other security protocols your site really, really should have.
SSL certificates can’t protect a website from malware infections, viruses or the website than spreading that malware. Even the padlock in the address bar doesn’t necessarily indicate secure- it simply indicates that the info shared between that websites server and the browser is secure.
PSA- infected websites over an HTTPS network will actually continue to ensure the integrity of the malware or virus, all the way until it reaches the final victim- the websites visitors.
SSL Certificates and HTTPS Certificates STILL Don’t Equal Maximum Website Security
As easy as we would like to make this, there really is no “one size fits all” solution for website security.
Even if a website has had SSL & HTTPS forced upon it, it doesn’t actually mean the website is secure.
Without additional security measures, such as WAF (Website Application Firewall) or access controls, an HHTPS site can still be hacked and be dangerous to visitors. Data encryption is vital, yes, but it’s only piece of the web security puzzle.
You need to look at website security as a strategic, well planned conjunction of protection, detection, response and backups.
Our number one tip to get going, however?
Make sure you choose the right SSL certificate.
Domain Validated SSL Certificates
These SSL certificates show that a domain is registered, and that a site admin is running the URL.
It’s quite easy to obtain- this certificate authority can typically validate through email, DNS or HTTP.
It includes the owner proving they own and run the domain, and saving a text file in the public web root of their domain.
Organization Validated SSL Certificates
Building off domain validated SSL certificates, organization validated certificates not only prove ownership of a domain, but also proves the existence of an organization or company that stand behind the domain.
Your organization or company’s details are shown online, just like individual ownership ins domain validated SSL certificates.
Extended Validation SSL Certificates
Again, building on the above, extended certificates demand even more information and proof of ownership than domain or organization validation.
It signifies an even higher level of security and ownership, those these take longer to obtain.
Take a look at the domain bar when you look at PayPal; there is no doubt of the organization, ownership and their authenticity.
At the validation level, extended validation SSL Certificates are the most secure. If applicable, look to extended validation certificates as part of your end security game.
Single Name & Wildcard SSL Certificates
Single-name SSL certificates protect one subdomain.
Great for forgotten subdomains, or site evolution, there is always a place for single name SSl certificates.
Just be aware, however, that a certificate for one subdomain will only apply to that exact, specific domain- not even the branches of it.
A certificate for www.website.com won’t apply to mail.website.com.
On the other hand, wildcard SSL certificates secure a number of subdomains for just one single domain.
Again, we would love to make this easy for you, but wildcard SSL certificates only protect the subdomains of one single domain.
They don’t protect multiple domains, even if they are all related.
That’s where multidomain SSL certificates come into play.
Multidomain SSL Certificates
These giants provide security for several different domains, through one extension.
This extension is the SAN extension. (As if you wanted anymore acronyms thrown your way, we know.)
SAN extension= subject alternative name.
With multi domain SSL certificates, you can combine multiple hostnames even if they’re not from the same domain.
Complex? Yes. Many sites don’t need to go as far as multidomain SSL certificates, but they are there- and for those that need them, you NEED them.