Why There’s More to Site Security Than Just SSL
SSL certificates are small but mighty digital certificates that you can install on your website to ensure users can access your website via an encrypted HTTPS connection. While SSLs are undoubtedly vital in this day and age, there’s an unfortunate misconception that an SSL certificate is a catch-all measure for all website security woes.
Some of this confusion likely lies with the marketing language surrounding SSL certificates, as well as how major browsers treat websites that don’t have an SSL, flagging them as “not secure”. While not exactly a lie, it does simplify the actual role of SSL certificates in website security. The reality is, there’s a lot more you should be doing to ensure your website and its visitors are safe from malicious actors.
In this blog post we’ll address some of the confusion surrounding the role of SSLs and some additional measures you should be taking to ensure your website is secure as can be.
Read on to learn all about it.
What an SSL Certificate Actually Does
As we mentioned at the outset, an SSL certificate is used to create an encrypted connection. Encryption ensures that any data sent over this connection is rendered unreadable to prying eyes. Typically, this encrypted connection is made between a server (where your website lives) and a client (most often a browser), so we’ll be using this as an example.
When a browser attempts to connect to a website with an SSL, a secure connection will be created through a process known as the TLS handshake. The TLS handshake is a pretty complicated process, but the short version is that it involves a number of messages being sent between the client and server. Through these messages they authenticate each other, decide how they will create an encrypted connection, and finally they create the connection. It might sound like a lot, but it only takes a few milliseconds in all.
This connection ensures that information sent from the browser is encrypted and that it can only be decrypted by the server. Encryption does this by converting plaintext to ciphertext, which is essentially an unreadable string of characters. This is why SSLs are a great way of protecting against man-in-the-middle attacks.
As you may have noticed already from this explanation, SSLs only encrypt data during a very specific moment: while it’s in transit.
Which brings us nicely to our next point.
What an SSL Certificate Doesn’t Do
SSL certificates do not protect data at rest. Data at rest refers to data stored on your website server. Installing an SSL certificate only provides end-to-end encryption, so it doesn’t protect what’s at each end (that is, the server and the client). That’s why it’s dangerous to think that installing an SSL certificate alone will secure your entire website. An SSL won’t protect you against hackers exploiting common back-end vulnerabilities like out-of-date software or poor coding.
While having an SSL is a key aspect of site security, there’s a lot more you need to do to ensure data stored on the server is secure.
How to Secure Your Site beyond SSL
So what else do you need to do to secure your site? We’ve talked at length about website security here at the Namecheap blog, so for a more in-depth look, why not check out some of these articles: A-Z Website Security for WordPress; 4 Quick and Easy Ways to Improve Website Security; or this piece on preventing domain name hijacking and cyber attacks. If you have an e-commerce website, you’ll need to read How to Protect Your E-Commerce Website in 9 Steps.
For now, here’s a quick overview of basic steps all website owners should take to secure their site:
- Choose a web host with good security features
- Use strong passwords and enable 2FA
- Keep software up-to-date, from your CMS to widgets and plug-ins
- Implement good malware protection
- Run regular virus scans
- Run regular backups
YSK: Malicious Websites Can Still Have SSL Certificates
While we’re here, it should also be noted that if you visit a website that has an SSL, that doesn’t necessarily mean that it’s trustworthy. The most insidious element of the SSL site security myth is the fact that sometimes malicious sites, such as phishing or spoofing sites, can sometimes obtain SSL certificates, giving them a sense of legitimacy.
An example of this could be a scam site posing as a well-known one. Maybe you ended up there via a link in a spam email or through typosquatting, which is when a malicious actor sets up a website on the domain of a common misspelling of a popular website URL. Sometimes the design of such a site can be pretty convincing, but is usually off in some way. Another common example is simply ending up an unfamiliar website with some tempting, too-good-to-be-true offers. Whatever the case may be, they’ll usually request that you submit personal information, such as login information and credit card details.
If you find yourself on a website you don’t trust for any reason, click on the padlock symbol in the address bar of your browser and read the certificate details. It’s best practice for e-commerce sites to have an OV or EV certificate, which displays information about the company or entity that owns the website. If the details displayed don’t seem right, don’t hand over any sensitive information and click off the site.
The lesson here is not to blindly trust a website that happens to have an SSL. Even though your connection to that site may be encrypted, does it really matter when the person on the other end of the connection has bad intentions?
While installing an SSL certificate on your site is undoubtedly important, it’s just one small element of a much larger set of site security requirements you should be adhering to to keep your site and users safe and secure. Do your due diligence and research the necessary measures for protecting every area of your site. And whenever you’re in browsing mode, remember that just because a website has an SSL, it doesn’t mean it’s trustworthy.