Data encryption is a hot topic right now, from iPhones to Mossack Fonesca, so should you be encrypting the data your website handles?
There’s been a great deal of news coverage recently over the data breach at a particular Panamanian accountancy firm and a lot of fuss was made over the FBI attempting to hack an iPhone. Mostly, people are aware of encryption or rather how a lack of it can lead to our data being leaked to people or organisations who were never meant to see it.
So, ask yourself, does your website handle user information? No? How about that contact form where you’re asking people to insert their name, address and phone number?
This sounds complicated! How does it all work?
Secure Sockets Layer or SSL was invented by Netscape. It’s used millions of times every day, on thousands of websites. Any site that you’ve been to that has a green ‘padlock’ icon in the URL bar, or where the URL begins with https:// rather than http:// is using SSL technology.
But what does that mean? Very simply, using SSL means that there is a secure connection between your browser and the web server that is serving up the site you’re browsing.
This means that any information transmitted via the website to the web server will only be seen by the organisation that owns the website. Crucially, if you are asking users to enter any information into your site, you need to ensure that there is a secure connection to your webserver.
There is a grey area around what constitutes personal information and what constitutes private information. An example of personal info might be your email address, and private info might be something like your credit card number. There are differing schools of thought on what information needs to be protected by SSL, but generally, if you can encrypt, then you should encrypt.
So does this mean that all my data is safe?
In a word, no. The server that holds the data may still be vulnerable to attack. If this is a web server, facing out to the internet, then you should seek out a reliable host. Phone them and ask them about their security policies. Find out what safeguards they put in place to keep your data secure.
Having an SSL certificate installed also doesn’t keep you safe from infected host machines, like a PC with a virus, or malware running on it.
Right, I get it, I think I need an SSL certificate – where do I buy one?
Online, there are a number of SSL certificate suppliers. As with anything, the cost of SSL certificates ranges in price. The most basic certificates only require you to prove your identity by responding to an email. So, when the certificate is issued, the issuing authority sends an email to firstname.lastname@example.org You need to have access to that mailbox to respond to the email, proving that you have access to the domain. Once you’ve followed the email confirmation process, the certificate is issued and you can use it straight away.
Extended Validation (EV) certificates are a little trickier to purchase, as their name indicates, you have to go through an extended level of proving who you are to obtain one. To prove your identity, you may need to confirm your business credentials via phone, confirm your trading address by post and be subject to the issuing authority querying your businesses details in national records, phone directories and other publicly held databases.
Once you have your SSL certificate installed, visitors to your site can be ensured that firstly, you are who you say you are, as you’ve proved your identity in order to be issued with a certificate and also that their connection with your site is encrypted and that their information is only being received by you.
Bonus! Google loves them too!
One great advantage to using an SSL certificate is that Google loves them too! Google announced in 2014 that it would start using SSL as a ranking signal, meaning that having an SSL certificate installed may increase your sites rank in Google. Notably, SSL sites are seen to be ‘more trusted’ as Google understands that you have had to prove you identity to purchase one.
UPDATE – Let’s Encrypt
April 12 2016 saw Let’s Encrypt leave beta and launch fully. This service issues free (yes, free) SSL certificates for everyone to use. If you are a user of the popular cPanel platform, you should now find a Let’s Encrypt section in your dashboard. If it’s not there, ask your host to enable it and start taking advantage of some free SSL certificates!