Hosting & Domains News

SSL Certificates Are Not Magic Pixie Dust – Basic Website Security Tips

Since the big names in tech like Google now require SSLs for all websites – or else present you with a warning – it’s easy to think that if you have an SSL certificate, your website is magically secure against everything. It is not.

We get messages all the time from customers who had their website hacked and couldn’t understand why, simply because they had an SSL certificate installed. They thought they were protected.

Let’s be very clear here, having an SSL certificate is the bare minimum a website should be taking for security, and doing it properly is the first step in making sure your website is secure. They only work when they’re implemented with proper security measures for your website and server environment.

The SSL is the START!

First, what is an SSL certificate?

It stands for secure socket layer, and at the most basic level, an SSL certificate creates a secure tunnel between your web browser and the website you’re connecting with. It encrypts the data so that the connection cannot be eavesdropped on. SSL is actually a deprecated term; they’re now called TLSs (Transport Layer Security), even though colloquially, most people still just call them SSLs (and to make it easier – that’s how we refer to them in this article).

You can tell if a website has an SSL certificate installed by looking at the address in your browser – there should be a tiny little lock next to it. This means your connection to the server is secure. If you click the little lock, you get details on the certificate itself.

The actual SSL is a piece of code signed by an authority that is installed on the server. This signature means that the SSL is installed and valid. They’re usually renewed on a yearly basis now. Longer-term SSLs are now not approved by Google as they can be spoofed. Getting an SSL certificate requires buying one from your web host, who will likely use a third party to ‘sign’ them. Then it needs to be installed on your server (we can help you with this).

What an SSL certificate isn’t

It is not a magic piece of software that makes your website completely secure. An SSL certificate simply encrypts the temporary connection between your website and the end user’s browser. It doesn’t secure the website itself or your backend processes. It simply secures the tunnel to the customer. So, just buying an SSL certificate and thinking “my websites can’t get hacked” is simply not good enough.

SSLs are good for many things

SSLs aren’t just good for establishing trust with a user of your website; they’re also good for SEO as the search engines will rank you better than if you don’t have one. Browsers like Chrome will also now show secure connection errors when a user visits your site, warning them that your site is not secure if you don’t have one. They establish trust. Any website without an SSL certificate installed is a red flag. If you got, say, a phishing email and you clicked the link, it does not likely have an SSL. A legitimate link to say PayPal would have an SSL.

‘Old’ SSLs can be a problem

If an SSL certificate is of a vintage standard like SSLv2 or SSLv3, it is not actually secure anymore, as they have been superseded by newer standards – the most recent of which is TLSv1.2. SSLs need to be maintained, updated every year. Old ones will just not do. You can see the type of SSL you have by visiting your website and then clicking the lock. You should find all the info you need there. And, of course, Blacknight can help you install a new, updated one!

They’re not just for eCommerce anymore!

In the past, you only needed to think about having an SSL certificate if you processed data like credit cards – as they were required by credit card processors. But now, every website, even if there is no eCommerce element, needs to have an SSL certificate installed. Why? Because Google says so – something, we’ve written about before here. But basically, if you don’t have an SSL certificate, Google will warn visitors to your website that it’s not secure. You definitely do not want that!

So, what else should you be doing for basic website security?

Other than an SSL certificate, here are few best practices to help keep your website secure. And I feel I should be clear; no website is really 100% secure.

SSLs are important to the security of the web, but just having one isn’t the end of the process – it’s the beginning. With the above tips, you’ll be on the way to having a more secure website for you and your customers. Need an SSL certificate for your website? Then head on over to our main site to order one.

Exit mobile version