Ext. City Street – NightBuddy (V.O.)I walk through a dimly lit alley. The main road has a well-maintained sidewalk and it’s safer, but I’m what you call the reckless type. I live life on the Edge.
…
Walking too fast. Trench coat catches on the gnarled handle of a broken container, stopping me dead while I work to free it. My fedora comes off in the struggle, touching down in a puddle at my feet. Buddy(muttering)
So much for going Incognito
Buddy (V.O.)I dash the water aside and tuck the hat under my arm. The air is stale here, but it’s far from the worst thing blowing about in these parts, that much I know.
Buddy Dasher is your average Internet user — he goes where he wants, when he wants. As a website owner, you’re responsible for the safety of people like Buddy. Things have changed significantly in recent years when it comes to Internet security. It’s easier than ever to keep your users safe, but the stakes are higher too.
The Threat
Buddy doesn’t know what malice awaits him in the dark corners of the alley, and why should he?
Buddy (V.O.) (CONT’D)There’s a soft laughter, almost sinister. I keep on walking. It’s the only thing you can do, really. My fists clench in my pockets as every fiber of my being prays that it’s not him: the Man in the Middle.
They say he’s everywhere and he’s nowhere, and for right now I’m just going to imagine he’s nowhere. I’ve got places to be. Sal’s joint is up ahead, I’ll be safe there.
Internet users come from all walks of life, and some will inherently care less about computer security than others. This is fine, as long as website administrators take the reins and secure things on their side. Encrypting a website with an SSL certificate is a simple task that has many benefits for end users. The implicit trust of most users extends further than most website owners or the users themselves realize.
Any kind of information — no matter how seemingly innocuous — can be misused. Search queries, browser data, email addresses and other contact information, names, location data — all of these have value enough to motivate theft. An SSL certificate almost guarantees that this information remains private, at least between the user and their intended application.
The so-called man-in-the-middle attack involves a third party scooping up (or even modifying) information in-transit. Users think they’re communicating exclusively with a website, but that information passes many potential dark alleys in its journey, where anyone with enough care can listen in. Even the most basic SSL certificate encodes that communication, rendering it useless to snoopers.
The Stakes
Users will generally fall into one of two groups in how they deal with this kind of vulnerability. Users like Buddy have no idea what they risk in using insecure communication. The presence (or lack) of a lock icon in their browser will not faze them in making an online purchase or typing out a sensitive search query.
Buddy (V.O.) (CONT’D)Knocking, pounding on the door. The light from the peephole blots and comes back: no answer. Sal’s a bit of a meathead, but I don’t understand. He’s known me for years, what’s the hesitation? My friends are already here, it’s not like he needs them to vouch for me.
BuddyCome on, Sal, open up.
The other category of users, the savvy type, will think twice about using your site. These users will pass you right by if you’re selling anything or need sensitive information in your contact forms. Skipping SSL is cutting out this demographic altogether, and this group is set to grow. Acting in users’ best interest, Google is attempting to shift users into this category. In a blog post on security, the browser maker detailed plans to begin warning users of insecure sites starting January 2017.
This is on top of a (rather more meaningful) post about SSL security becoming a ranking signal in Google search results. Again, it’s a small start, but a sign of things to come.
At this point, even sites that don’t handle sensitive information are hard pressed to justify skipping out on an SSL certificate. They offer your users privacy, even if they aren’t asking. More to the point, being part of the online community means keeping up with standards, and encryption is a standard worth offering. If the web is like a big sprawling city, don’t you want your building to be as well maintained as the other respectable establishments? If cost is the primary reason for hesitation, site owners should be happy to know that there are free options worth your time.
The Solution
What is an SSL Certificate Exactly?
Short for Secure Sockets Layer, SSL Certificates are files installed directly onto the web server. These are accessed by your visitors’ web browsers, and used to create a secure channel between your website and the user. Entities called Certificate Authorities (or CAs) issue these files to specific websites, thereby extending their trust to those websites for some allotted period of time.
There are several levels of SSL certificates on offer:
- Domain Validation or DV Certificates are the most basic SSL certificates you can have. These are issued by CAs to anyone who can prove that they own a certain domain.
- Organization Validation or OV Certificates are issued after some vetting has been performed by the CA to verify that your legal entity or company owns the domain in question.
- Extended Validation or EV Certificates are only issued after a stringent verification process. The CA itself must conform to a strict set of guidelines before even being allowed to issue EV certificates, and the company applying for the certificate must verify different aspects of their company’s legitimacy before being granted the certificate.
It’s important to note that there’s absolutely nothing wrong with having a basic DV certificate. EV certificates carry the benefit of including your company name alongside the padlock icon in the user’s browser, but they’re very time-consuming and expensive to acquire. DV certificates, on the other hand, are offered these days at some very attractive price-points…
How do I get one?
With more than half of the top 100 (non-Google) sites on the web missing or using misconfigured SSL practices, there’s obviously a massive need for improvement. Though it’s a complicated process to secure such large web sites, it’s a cinch to secure small to medium sites.
A product called Let’s Encrypt is changing the game for SSL encryption. This organization, a fully-qualified CA, offers an automated service for generating and renewing SSL certificates. The best part? Let’s Encrypt’s certificates are issued 100% free-of-charge.
Running the Let’s Encrypt client (which generates and handles renewals), requires either console-level access to your hosting or a hosting partner with Let’s Encrypt integration built in. Treefrog uses both approaches, choosing either depending on the needs of the client.
Buddy (V.O.)The door cracked open and caught itself by the chain; Sal’s face staring back at me through the split. He wasn’t skeptical, he was downright offended. He looked at me like a monster, and I hadn’t the faintest why.
SalI don’t know who you are pal, but you… you get out of here.
Buddy is visibly shaken
BuddySal, it’s me— it’s your Bud. You were at my wedding for the love of—
Buddy (V.O.)He shook his head and he stepped aside. As the door closed, I caught a glimpse of him. The Man in the Middle. At my table, the one on the left. He was laughing with my friends. They drank with him, and they whispered my secrets into his ear, blind to his duplicity, because he wore my face.
Buddy’s had his identity stolen — a consequence among the worst possible outcomes of careless internet wandering. Though he could have been more careful in where he chose to visit, Sal could have prevented it too, by checking ID at the door.
The same goes for website owners in 2016. We live in wild times, and promoting security and consistency across the web is our responsibility. It’s a simple matter to procure and install an SSL certificate (for free!), and shouldn’t be overlooked even when it not critical to the business itself.
Want to talk ‘security’ with Treefrog? Give us a ring and we’ll be on the case.
For an in-depth look at adding SSL to your WordPress site, check out our friend’s article at CloudLiving.