Here at Butterfly we're always looking for ways to improve security – both for the websites we host for clients and for their visitors. With regular software updates, you can keep on top of security vulnerabilities, and a web application firewall can help protect against malicious activity. But how do we protect the security and privacy of visitors to the site? That's where SSL comes in.
SSL (Secure Sockets Layer) is the technology behind the little green padlock we've all seen when viewing a secure site. That padlock shows that an encrypted connection is being used to exchange information between the web browser and the server. It also provides assurance that we're communicating with the site we think we are on, and not some "man-in-the-middle" who's just pretending to be our bank or email provider.
That's a pretty powerful little padlock, huh? But if you're anything like me, you probably don't even notice when it's not there. Knowing this, Google Chrome and Mozilla Firefox are starting to make changes that give web browser users more visibility of how secure – or insecure – the connection to a website is.
Regular HTTP (i.e. an insecure connection where the URL starts with http:// instead of https://) is fine for basic sites, but not ideal for transmitting sensitive data. The latest version of Google's browser (Chrome 56) is now adding "Not secure" to the address bar when there's no SSL on a web page that collects passwords or credit card numbers:
That's the first step towards making it very clear that regular HTTP pages are insecure. In later versions, all pages without SSL will be marked like this:
More than just security...
It's not just these address bar changes that can affect websites that don't use SSL. Google is also starting to prioritise secure (HTTPS) sites in search results, and other search engines are likely to follow. This means that even on a site with no sensitive data, using SSL can be a simple way to maintain a good position in search engine results.
Butterfly is now recommending SSL for all websites. It’s a simple, low-touch addition to your website’s security, and we can take care of everything for you: generate the crypto keys, purchase the certificate, install it on the server, and manage annual renewals.
We wrote this post and the glossary below to give you a quick intro to SSL, but we understand that it can be a bit confusing at first. Our account managers can work with you to determine what option is best to protect your digital assets, and once your SSL certificate is in place, you – and your website visitors – can benefit from this extra layer of security and privacy.
Want to strengthen security for your website visitors? Get in touch!
What does it all mean?
- HTTPS refers to using HTTP (Hypertext Transfer Protocol) over a secure connection.
- SSL (Secure Sockets Layer) is the protocol used to negotiate a secure, encrypted connection between a web browser and a server.
- TLS (Transport Layer Security) is the name for newer versions of the SSL protocol. Technically, it's TLS we use for the strongest security, but in general terms, SSL and TLS are interchangeable. SSL is the name that stuck, so that's what you'll normally hear us talking about.
- An SSL certificate links the cryptographic key used to encrypt the connection and the website's domain name. A web browser will only establish a secure connection if a valid certificate is installed on the server and the domain in the certificate matches the URL.
- A Certificate Authority (CA) issues certificates that web browsers will trust. The CA performs a validation step to make sure they're issuing the certificate to an authorised admin for the domain. Butterfly uses certificates issued by GeoTrust.
- Domain Validation (DV) certificates are simple, affordable and quick to set up. A DV certificate is suitable for most websites.
- With an Extended Validation (EV) certificate, the CA validates the organisation name as well as the domain name. The web browser address bar shows the organisation name in green, providing assurance that the named organisation is authorised to use the domain. An EV certificate is a good choice for high-profile organisations or sites that conduct financial transactions.