SSL Certificates protect privacy and validate identity to establish trust with users and improve the internet as a whole.
Having a software development client in a long-term relationship means looking out for the integrity of their brand. As a vendor, we recognize that our clients are often most concerned about the big things: does their website work? Is it attractive and easy to use? But moving a website from development into a production environment in the real world requires that we be sensitive to the security of the site, and some of the details of ensuring that their site is secure can be overlooked or misunderstood.
One thing that ITX encourages our clients to implement on their public web server is an Encryption Certificate, often referred to as an SSL Certificate. And while most clients appreciate that we’re recommending securing their website, oftentimes they don’t have a deep understanding of what it is and how it protects them.
An SSL Certificate allows for the encryption of the data transmitted between the visitor’s browser and the web server, and its presence can be determined by a lock in the browser’s address bar next to the https:// in front of the address (see the address bar above; ITX redirects all of its users to the secure version of our site). Clicking on the lock even allows the end user to gather more detail about the SSL Certificate, such as when it was created, when it expires, and to whom it belongs.
Without getting too deep into the techniques behind SSL/TLS (Transport Layer Security) encryption, the Certificate provides the foundation for a shared secret code that can be used for encoding, or encrypting, all of the data sent and received between the client browser and the server. When done properly, the information transmitted between the two computers will appear to any outsider to be completely random, unintelligible data. This allows for the transmission of important data that users want to keep secure over a public network (like sending credit card information over the internet).
When done improperly, an attacker (another word for “hacker”) might be able to inappropriately decode the secret information being transmitted. This makes the nomenclature ironic – we still use the term “Secure Sockets Layer” (SSL) to describe the technology, but it turns out we’re using a newer form of the protocols now called “Transport Layer Security” for the underlying encryption technology, as the older versions known as SSL are broken in some way. Because security is so important, many older browsers are finally falling by the wayside because they are unable to support the newer TLS protocols, which has now become the industry standard.
Surprisingly, SSL Certificates provide for another overlooked function that may be more important in some ways than the encryption. This function provides for the authenticity of the identity of the server itself through a mediating third party. Simply put, a trustworthy third party, like Symantec or Geotrust, puts a digital “rubber stamp” on the SSL Certificate, in effect saying, “We checked and we believe that this person is who he says he is.”
The rubber stamp, or signature, is issued as being valid until a terminating date, at which time the signer needs to issue a fresh signature on a new SSL Certificate. As an example, if you go to the website https://itx.com (this site), you assume that you’re actually visiting a website built by ITX, that the content actually belongs to ITX, and that you can trust it. While it’s somewhat important for a website that espouses your presence to the world, it’s really very important if you’re taking credit cards or processing private information.
Knowing that both encryption and authentication are important parts of a website that is secured by an SSL Certificate, it’s no wonder that a browser generates a full-on warning when there is an issue with the Certificate.
Google’s Chrome browser says, “Your connection is not private. Attackers might be trying to steal your information.” Other browsers generate similar dire warnings, indicating that there is a problem and requiring the visitor to acknowledge the warning before continuing on to the site that has an issue with its Certificate.
What’s the right thing to do? Well, if you can afford to wait, don’t visit the site. Hit the back button and then make a phone call or use some other means to communicate with the site owner. There are many reasons for an SSL Certificate to be invalid, such as certificate expiration, a name mismatch, or an unsigned certificate purporting to represent the actual site. While the former two instances might be the result of an oversight or mistake on the part of the hosting organization, the last instance could be a ring of credit card scammers sending you and others to a fake website where they capture your personal information for their own profit.
The use of SSL Certificates to protect privacy and validate identity is critical to establishing trust with your users, and ultimately to the continued use of the internet as a platform for commerce and communication. It’s so important to Google’s mission of linking to quality search results that they actually give higher SEO ranking to sites that force their visitors to an https:// connection. And it’s a sufficiently important factor to the quality of what we deliver that ITX now delivers all websites with the expectation that an SSL Certificate will be in place in the production environment.