In case you haven’t noticed, unsecured websites (those using HTTP:// rather than HTTPS:// at the beginning of the address) are already starting to generate warnings in certain browsers. If you manage one or more websites, considering website security in your overall strategic planning is more critical now than ever before. If you don’t know how to tell whether a website is secure, simply look at the address bar. For more detailed information, click on the icon to the left of the website’s domain name to see the security status as shown in the examples below:
Example of unsecured website’s address bar as seen in the Firefox browser
Example of SSL secured website’s address bar as seen in the Firefox browser
Example of website using EV SSL certificate as seen in the Firefox browser

Website Security Changes Are on the Horizon

But this is just the beginning, and there are many other variations plus many other browsers, each of which displays the website security status in its own way. The big news shaking up the industry right now is that Google Chrome, starting in July of 2018 will flag ALL websites that are not SSL-secured (not just those collecting personal information) and warn visitors that they are on an unsecured website. It appears unsecured websites are quickly becoming a thing of the past…and that’s probably not a bad thing.

For those who aren’t familiar with SSL, it stands for “Secure Sockets Layer.” Basically, it ensures that the data transferred between a visitor and the secured HTTPS website is encrypted so that it can’t easily be stolen, unlike the unencrypted data sent to an HTTP website. It also means that the domain name seen in the browser is actually the domain of the website in question. This makes it much harder for thieves to spoof or imitate a website and steal data (including credit card info, etc.) from a website’s visitors.

In reality, most secured websites today use a newer technology known as TLS (Transport Layer Security), but the SSL acronym has become so commonplace that it is now used as a catch-all for both Secure Sockets Layer and Transport Layer Security. Most companies (ourselves included) still call their security offerings SSL even though, technically they are TLS. Since so few people outside of the industry know what SSL is, trying to explain that one acronym they barely understand is being replaced by a new acronym they’ve never heard of is likely to be more confusing than helpful. I’ll continue to use SSL for the purposes of this post.

Improving Website Security Is Not Difficult

Installing an SSL certificate is fast, easy, and relatively inexpensive (especially compared to the potential loss of trust a website without it may experience). While it’s still possible to operate a website without SSL, the risks involved make it increasingly less advisable. If your website doesn’t collect personal information from visitors you may have a little more leeway, but all websites will benefit from installing SSL. Those benefits will likely only increase over time. If you are responsible for administering any website, this is probably a good time to evaluate your security requirements and consider upgrading as needed.

~

This is the first in a series of posts on website security. We will continue to publish articles on SSL, TLS, HTTPS, as well as other security topics. Please feel free to post any questions, comments, or requests for future articles below and we will do our best to address them. Or you may contact us here.