To padlock or not to padlock? SSL Explained

To padlock or not to padlock? SSL Explained

You visited a website, you saw a green padlock saying “Secure”. Cool. But what does that actually mean? Does that mean a website can’t be hacked? Let me start with the actual difference..

HTTP? HTTPS? What’s the difference?

HTTP (HyperText Transfer Protocol) is a protocol that allows communication between different systems. HTTPS (HyperText Transfer Protocol Secure) is HTTP with SSL (Secure Sockets Layer). The difference? Data sent over HTTP is not encrypted and could be intercepted by a third party. HTTPS solves this problem by encrypting the data. Some websites use HTTP and indeed, you can use it for your own website – nothing stops you from doing so. However, here’s where you face some problems..

Your search rankings are affected, your website is slow..

Google uses HTTPS as a ranking signal. HTTPS protects your privacy – HTTP does not. Websites using HTTP are significantly slower than those using HTTPS – check for yourself. Since Google Chrome 56, all websites using HTTP containing password and / or credit card input fields are now marked as “Not Secure” too:

A SSL certificate costs so much though..

Probably the first thing people think about when talking about SSL is the cost – there were days when this would cost money. Now it does not. You can grab a free SSL certificate from Let’s Encrypt, or, if you want to kill two birds with one stone, you can use CloudFlare – not only does it give you free SSL, it also protects your website from DDoS attacks.

After you get your free SSL, you have one more thing to do: You need to ensure that all requests coming through HTTP are redirected to HTTPS by adding a 301 “Permanent Redirect”.

If you use CloudFlare, this can be really easily accomplished:

Job done – You have SSL! Does that mean your website should be trusted by anyone who visits it? No.

But.. but its HTTPS!

While HTTPS does create an encrypted connection between the server and the browser, it does not mean “this should be trusted”. It means “this is private”. You could be having a private conversation with a devil though, which brings me to the next point..

Phishing + SSL

SSL certificates have several types:

  • Domain Validated (DV SSL) – Most common type of an SSL certificate. Verified using the domain name – no company information is checked.
  • Organization Validated (OV SSL) – This type of SSL certificate does require more validation by the Certificate Authority – a basic review of an organization is performed before issuance.
  • Extended Validation (EV SSL) – Highest type of an SSL certificate. Obtaining it does require identity verification and thorough inspection of the organization by a Certificate Authority.

Users have been told to look for a green padlock when signing in to a website to make sure their details are private. Cybercriminals know it and are taking advantage of it – phishing attacks with DV certificates are becoming more common because after all, such certificates are free. However, there are also occasions of phishing with an EV certificate. For example, in late 2015, a website operated by World Bank Group got hacked and was used to host a phishing page:

Does this website have an EV certificate? Yes.

Does that mean you should enter your PayPal login details on this page? No – this is not PayPal! Just because a website uses SSL on top of HTTP does not mean its contents are secure.

Use HTTPS? Force it!

If you do use HTTPS instead of HTTP, it is best to force it (You should add a 301 “Permanent Redirect” which I talked about earlier) across the entire website, because if you only use HTTPS for a login page, the session ID might be sent over plain HTTP, which could allow an attacker to steal your session. To wrap it all up..

Should I use SSL?

Yes. Here are a few reasons why:

  • It’s free.
  • It encrypts communications between your browser and the website you’re using.
  • It isn’t difficult to set up and maintain.
  • Websites using HTTPS are faster than those using HTTP.
  • HTTPS improves SEO.

What’s more, HTTP may be soon getting nasty red warnings.

After all, you don’t want these “Not secure” warnings to be shown on your website, do you?