Understand Website Security and SSL are not the same thing.
Running a website in 2018 is way easier than it was back in the 1990s. Tools like website builders, content management systems (CMS), static site generators, etc, remove a lot of the headache the friction around coding websites. But you didn’t think that there is a catch for such an easier way of life?
I would dare to say that one of the many cons to bringing such convenience to the world is the creation of misinformation. The biggest misunderstanding is what makes a website secure versus not secure. For example, with the introduction of version 68 of Google Chrome browser, websites that do not use SSL certificates are marked “Not Secure” in the address bar.
However, a website with an SSL certificate is not necessarily a “secure” website either. SSL encrypts the data sent between the visitor and web server but does not actually protect the website itself from hackers. There is more to it and website owners need to understand this if they want a truly secure website.
What is Website Security?
Defining website security is not simple, but here’s a good definition we like to use in our company:
There are no turnkey solutions to security; instead it’s a combination of people, processes, and technology, that help create a manageable and scalable approach to security for any organization.
Defining website security is hard because it depends on the necessities of each organization. For example, a personal blog does not have the same concerns as an e-commerce store or the site of a web development agency.
Believing that a website is secure because it has implemented an SSL certificate can become a real problem. A website with SSL is not secure if it does not have other layers of protection, such as a Website Application Firewall (WAF), or even access controls. A HTTPS website could still be hacked and can still be dangerous to its visitors.
No matter if it is HTTP or HTTPS, if a website is infected with malware, internet security companies can put warnings on it and in search results, letting everyone know that the site contains malicious code. Which will affect the websites rankings.
These are the top 10 blacklists (no specific order) that will affect your website if breached:
• Sucuri Malware Labs
• SpamHaus DBL
• SiteAdvisor McAfee
• SiteAdvisor McAfee
• Google Safe Browsing
• Norton Safe Web
• Phish Tank
• SiteAdvisor McAfee
• Yandex (via Sophos)
SSL is the acronym for Secure Sockets Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser. SSL certificates have become a best practice in website security for good reason.
Google, Mozilla, and other web authorities are pushing for website owners to adopt HTTPS. One of the ways Google can enforce SSL is by flagging sites displaying a warning that the site is “Not Secure“ on Chrome, starting with Chrome 68.
SSL certificates help protect the integrity of the data in transit between the host (web server or firewall) and the client (web browser). They make sure no one is able to see or modify the data, what is known as a man-in-the-middle attack.
All types of SSL certificates verify the domain name of the website.
SSL Certificates and Malware Infections
SSL certificates cannot protect a website from a malware infection, nor can they stop a website from spreading malware.
Ironically, infected websites served over HTTPS will ensure the integrity of the malware until it reaches its potential victims, aka the website’s visitors.
A website’s padlock in the address bar does not mean the website is secured. It only means that the information between the website’s server and the browser is secured.
That is something both webmasters and Internet users need to be really mindful of.
It is important to make sure to force HTTPS after you install an SSL certificate on your website. If attackers compromise your site and link to malware assets over HTTP, browsers will display mixed content warnings.
What is the Difference between Website Security and SSL?
Website security is more comprehensive than HTTPS/SSL alone and should be treated as such. HTTPS/SSL is one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensuring your visitors are safe if you do not take other actions to ensure a secure environment.
We can imagine that the reason why some people get SSL confused with website security is because HTTPS/SSL provides:
• “In layman’s terms” – answering the question is that really you?
• integrity check (unchanged)
• privacy (unseen) of the data in transit.
To sum this up, in an HTTPS website, data in transit is protected, but the website itself can still be vulnerable.
Here at REAL, we see website security as a conjunction of protection, detection, response, and backups. SSL certificates are only a part of the puzzle. Data encryption is vital to having a good security posture, but it is not everything.
Security is not a constant. You need to invest time and resources to create a plan that fits your needs. HTTPS is great for the Internet as a whole because it helps keep communication secret between users and the websites they visit. SSL is what secures that data in transit only, not the website they are visiting.
SSL certificates only account for a small piece of the website security puzzle.
We encourage website owners to think about website security holistically and consider leveraging a Website Security Platform that offers a complete suite of security controls: protection, detection, monitoring, and incident response.
REAL recommends a company that created a software called Sucuri. This is one layer (of many) that will help protect your website if you are using WordPress, Joomla, Drupal, Magento, Microsoft .Net, phpBB, and vBulletin. A must have for anyone concerned with securing their websites.
We also design and create websites! Reach out to us at the Contact Us page to find out more!