The Importance of Secure Sockets Layer (SSL) certificatesOctober 4th, 2017 |
Encrypting your online browsing may appear daunting, but Secure Sockets Layer (SSL) works behind the scenes. Most popular websites such as Google, Amazon, and Facebook use SSL to protect users’ browsing. These companies have acquired an SSL Certificate, which allows their servers to establish a Private and Public Key. The Public Key is openly displayed on a website’s SSL Certificate, while the Private Key is secretly used to link the encrypted connection.
The transaction of an encrypted or SSL connection is basically completed through a virtual handshake. The user’s browser will accept the Public Key, encrypt the data, and a website’s server reads the data with a Private Key. If this data was intercepted by a hacker, it would translate into useless ciphertext. This data can’t be decrypted without the Private Key.
Is an SSL completely secure?
Any type of security measure has potential vulnerabilities. Hackers have found vulnerabilities with OpenSSL, which allows for remote data disclosure. The vulnerability known as Heartbleed allowed hackers to remotely disclose sensitive data and access private keys. The good news, with proper security measures in place, these types of vulnerabilities are uncommon. Website owners must stay one step ahead of the hackers, because data breaches are exploited on popular platforms. This can allow hackers to attack many websites through an OpenSSL.
Staying one step ahead of the hackers is best accomplished by avoiding unsupported SSL ciphers. Hackers target weaknesses in deprecated and outdated SSL encryptions. For example, Transport Layer Security (TLS) 1.1 is considered deprecated, and should never be used.
What exactly is TLS? It is another term used to describe SSL. Hackers target deprecated TLSs to redirect the traffic through their server and perform an HTTP downgrade. These types of exploits are called Man-In-The-Middle (MITM) attacks.
How do we stop hackers from redirecting traffic?
Preventing hackers from spoofing a website is corrected by using a Public Key Infrastructure (PKI). This uses an SSL Certificate Authority (CA) third-party which issues individual certificates after the website’s identity is approved. Basically, the PKI will verify the website’s identity and public key information.
What makes up a strong SSL configuration?
Top websites have configured SSL with optimal settings or secure algorithms. Google uses a Secure Hash Algorithm (SHA) 256 with an RSA (a Public Key cryptography) signature algorithm. The SHA was designed to use cryptographic hash functions to disguise your personal key which is used to communicate with websites on the internet. For example, an “abc” key will be displayed as “ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad.”
RSA is used to encrypt and decrypt the data you input and send to websites and the data sites send to you. This is an additional barrier Google uses to ensure transmitted data cannot be decrypted. This is considered one of the most secure methods of transmitting data between a server and client’s browser.
Simplifying the Technical Jargon
Let’s simplify the process by logging into Amazon.com. Amazon virtually hands you a Public Key, which allows anyone into their gate. Before walking into the gate, you verify the Public Key with a Key Master. This Key Master approves the Public Key and lets you move into the Amazon.com gate. At this point, you can give the Amazon gatekeeper your login information. This transaction of information is given to the gatekeeper within a indestructible box. Only the gatekeeper can unlock this box with an Amazon Private Key. The gatekeeper and you continue to exchange information within indestructible boxes, which can only be unlocked with special keys. If anyone comes along and tries to steal an indestructible box, they will essentially only have a paperweight.
Why does my website need an SSL certificate?
It’s all about establishing trust with users. Individuals that notice HTTPS addresses generally have more trust with a website. Also, SSL certificates will prevent imposters from using a website’s address which stops Man-In-The-Middle attacks. Hackers will commonly attempt to replicate a website and data. Since SSL certificates are difficult to replicate and imposter, users will be prompted if a website isn’t legitimate.
Search engines, browsers, and known technology companies are now working together to prevent deceptive and unsecure sites. Top browsers such as Google Chrome and Firefox will label a website harmful, deceptive, or dangerous if it does not have an SSL certificate.
Bottom Line: Google’s Taking Action
In October 2017, Chrome (version 62) will display a “NOT SECURE” message when text is entered on any website form. Google hopes that by displaying this new warning message to users it will not only help protect users’ personal information, but also be a push for website owners to implement SSL Certificates. This notification will affect all websites, not just ecommerce sites.
Main reasons to use SSL?
- Improve SEO ranking and Google trust
- Prevent Man-In-The-Middle attacks
- Stop phishing websites
- Produce trust with consumers and clients
- Encrypt vital information
Want an SSL certificate for your website? Need help configuring and/or updating an SSL Certificate? Give us a call at 248.687.7888 or email us at inquiry@mediaG.com for assistance with securing your website.