Upgrade your SSL security!
Upgrade your SSL security!
In a move towards increasing the safety of web browsing for users, the latest incarnations of the popular Chrome (v.56) and Firefox (v.51) browsers have taken a pro-active step forward in encouraging the adoption of HTTPS as the preferred protocol to access websites.
The first phase of these changes has seen the introduction of more explicit labeling of the site’s connection security in the browser’s address bar with an enhanced security indicator. Initially, pages that collect credit card details or passwords (e.g. login screens or account registration pages) over HTTP will be labeled as “Not secure,” providing a clear warning to users to think carefully before proceeding. The plan is to prompt developers and IT administrators to adopt HTTPS, with future releases of browsers eventually labeling all HTTP pages as not secure.
Below are some samples of the security indicators:
Chrome 56 | Firefox 51 | |
Standard HTTP page | ||
HTTP page requesting sensitive data (Not secure) | ||
Broken HTTPS/Not secure (something is wrong with the SSL setup, so may not be trusted/private) | ||
HTTPS (Valid – this is what you want to see) |
To provide some background, HTTPS is the secure version of HTTP. It means communication between your browser and the website will be encrypted and helps protect sensitive information you may transmit to a website (with HTTP, all communications are sent as plain text). For a website to offer a HTTPS connection, an SSL certificate is required to be installed on the web hosting infrastructure (typically, the web server). Once this is in place, requests to HTTPS web pages will enable your browser to initiate an “SSL handshake” to establish and provide the encrypted connection between you and the website.
The interesting thing to note about HTTPS & SSL is that while it helps secure the connection between the browser and the website, on its own, it doesn’t attest as to whether or not you should trust the party or website at the other end. In order to certify that you are who you claim to be, this is where a reputable certificate authority (CA) come into the picture. When a trusted SSL certificate is used, you will typically see a padlock icon in the browser’s address bar. As shown in the images above, a green icon/bar will indicate that the website is checked and trusted, whereas a red icon/exclamation mark will indicate a problem.
It’s important to obtain your SSL certificates from a reputable CA to ensure your certificate will be compatible with major devices and browsers, while also assisting in giving the user a feeling of confidence that they can trust the party running the website. There’s a number of CA vendors out there, but some of the more well-known ones include Thawte, GeoTrust, Comodo, Symantec, DigiCert and GoDaddy. Each vendor typically has a range of certificate product offerings at different price points, so you can choose the one that best suits your needs and budget.
Under the hood, all SSL certificates use a similar method to encrypt data but the different vendors offer value-adds such as warranties, multiple domain name coverage, vetting, and support. However, SSL certificates are typically categorised by one of the following validation methods:
Domain validated (DV) certificates
The DV certificate validation is largely automated and is based on a simple check to verify the requestor has control over the domain. These certificates are typically the most affordable and fastest to get issued. The standard process is for the certificate authority to send an approval request email to either a listed WHOIS contact (specified with the domain registrar) or, one of a pre-defined list of generically defined email addresses that may be associated with the domain (e.g. webmaster@domain.com).
The certificate validation process for DV certificates does not provide any verification of the organisation behind the domain name, so doesn’t attest to the legitimacy of the owner. Accordingly, the domain owner’s business details are not incorporated into the issued certificate and therefore not shown in a browser’s address bar.
Organisation validated (OV) certificates
With OV certificates, the certificate authority provides a higher level of vetting to verify some information about both the domain and its owner. The CA will typically verify the domain owner’s business details and it’s legitimately registered with the appropriate authority, as well as the company’s address matches that specified on the application. Issued OV certificates will have the business’ details incorporated into the certificate.
Extended validation (EV) certificates
EV certificates are the “top-of-the-line” type of SSL certificate offer the highest level of validation. These certificates require an in-depth vetting process and often take a few days to confirm the business details such as being legitimately registered, physical address and the applicant contact is authorised to order the certificate on behalf of the company.
The process is more rigorous than a standard OV certificate but results in web browsers recognising the issued certificate and displaying additional indicators such as a green bar and the organisation name in the URL bar.
Obtaining an SSL certificate for your site is worth the small investment to uphold your online reputation, form trust and promote confidence with users in this modern web. OV and EV certificates are the recommended type of certificate to use and will work well with the new browser changes and their new security indicators.
Should you require assistance in selecting and installing the right SSL product for your site, then Zeroseven is here to help.