Why do you need an SSL certificate?

Oct 19, 2016 | Jindřich Zechmeister

Whether you are an individual or a company, you should approach online security in the same way that you would approach physical security for your home or business. Not only does it make you feel safer but it also protects the people who visit your home, place of business, or website. It is important to understand the potential risks and then make sure you are fully protected against them. In the fast-paced world of technology, it is not always easy to stay abreast of the latest developments. For this reason, it is wise to partner up with a reputable Internet security company.

This guide will de-mystify the technology involved and give you the information you need to make the best decision when considering your online security options. For a glossary of terms, please see “Tech Talk Made Simple” at the end of this document.

Website Security

What’s the first thing you do when you’re looking for a new product or service? If your immediate response wasn’t to say ‘Google it’ then you’re weird. Customers are savvy creatures and they don’t just use websites to find out what you do; they also use them to figure out who you are and whether you’re trustworthy enough for them to hand over their hard-earned money to you.

Whether you’re in ecommerce or electrical, holiday cottages or hedge funds, your website is one of your most important business assets. It’s your 24/7 shopfront, and you need to make sure it’s secure and working at its best.

You wouldn’t leave your laptop behind when you leave a coffee shop, or your stockroom door wide open, so why would you take chances with website security?

This section looks at the risks of ignoring website security and just how badly doing so can harm your business. We also explain the basics of what website security means in such a way that you can pitch it to whoever controls the purse strings. And, of course, a business case wouldn’t be complete without a look at the added benefits and return on investment that good website security can offer

Calculating the Cost of Ignoring Website Security Studies

Calculating the Cost of Ignoring Website Security Studies, surveys and questionnaires galore have shown that an unhappy customer is much more vocal than a happy one. If your site triggers a security warning in the web browser of the visiting user or worse, it infects a customer’s computer, that customer is going to tell all their friends and colleagues and thanks to social media perhaps even the wider world. Ouch.

And it’s not just your reputation that you have to worry about. If you have an ecommerce site, warnings and poor security will mean abandoned carts and lost customers.

In a recent Symantec, online consumer study, 56 per cent of respondents go to a competitor’s website to complete their purchase and only 11 per cent go back to the first website after seeing a security warning (Symantec Online Consumer Study, March 2011).

What you stand to lose

The potential costs of a data breach or a malware infection on your website go beyond the immediate cost of a lost sale or good-will payment. Your business stands to lose a lot more:

Money

Most customers who don’t see a visual clue proving your site is secure won’t trust you and you won’t win their business. For the few that give you the benefit of the doubt, if they see a browser or security warning (see section II- ‘Understanding Basic SSL Certificates’ for more on browser warnings) then that’s it: No interest, no purchase, no revenue.

If things get worse and your site is blacklisted by search engines (did we mention that Google alone identifies and flags some 10,000 unsafe sites daily – check out Google’s own site: -(www.google.co.uk/intl/en/goodtoknow/protection/ internet/), the effect is almost the same as shutting down your site altogether. People won’t be able to find you, and even once you’re off the blacklist, your search rankings could be severely damaged. Lost visitors mean lost revenue.

If you suffer a data breach, there may be fines to pay or customers to compensate. A severe infection could mean you have to hire specialists to fix it. None of these things are cheap.

Then of course, there are the man-hours spent responding to website security breaches: You have to track down malware, search for vulnerabilities, renew or apply for SSL certificates, investigate any data loss and update your systems and passwords.Introduction

The average recovery time from a cyber-attack in 2012 was 24 days, according to Ponemon Institute’s 2012 Cost of Cyber Crime Study sponsored by Hewlett Packard (see www. symantec.com/connect/blogs/cost-cybercrime-2012), and the average cost was a staggering $591,780. That’s time and money that could’ve been better spent on sales or development.

Reputation and trust

Once people see a browser warning or hear a news report about a security breach or malware infection, that’s your reputation blown. The general public are well informed about online threats, and if there is any hint that their data won’t be safe with you, then you can kiss their credit cards goodbye.

An expired SSL certificate warning, for example, suggests that you either don’t care about security or that you’ve gone out of business. At the very least it suggests poor organization and if you can’t keep your SSL certificates in order what kind of customer experience are you likely to provide?

Search engine ranking

It can take up to six weeks to get off a search engine blacklist. During that time, when people search for your product or service, no matter how much lovely search engine optimization you’ve done, no one will find you.

Even without being blacklisted, browser warnings can damage your search ranking. If a visitor sees an indication that your site might not be safe they’ll likely click away. The more often people click away after trying to access your site, the lower your search engine ranking goes.

Regulations and compliance

Website security isn’t always optional. There are rules and regulations affecting processes such as data collection and storage, and payment transactions. Fall foul of these and poor website security will cost you dearly.

In the UK, for example, the Information Commissioner’s Office can issue fines of up to £500,000 for serious breaches of the Data Protection Act and Privacy and Electronic Communications Regulations.

Data protection is a vast topic and not one that can be covered in detail in this book. That said, there are some key points that relate to website security that you should be aware of. After all, when it comes to compliance, it’s much easier to be proactive than reactive.

EU data protection directive

The EU data protection directive covers the entire lifecycle of data – from the moment you decide to collect it to how you dispose of it. Website owners take heed: ‘appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data,’ according to the Information Commissioner’s Office (see http://ico.org.uk/for_organisations/ data_protection/the_guide/the_principles).

In order to define ‘appropriate’ you need to understand what your website does:

A basic blog or information site: You only collect anonymized visitor data, for example through Google Analytics using simple cookies. The website is publicly available and you collect little to no personal data so your obligations are less onerous than with sites that collect more detailed data.

A company site, dedicated to product marketing: Advanced customization allows you to build up a profile of your site visitors. You use this data to target your marketing campaigns, so you have to ensure that visitors agree to you collecting such data. As you gather more detailed information, the potential damage of a breach increases, meaning your security obligations increase as well.

An ad-funded website: Alongside collecting information that profiles your visitors you may also pass some of that information on to a third party advertising network so that they can target their campaigns. Remember that as the data controller you remain responsible for how that information is stored and used by the ad network. Similar considerations apply if your site interacts with social networking sites, such as Facebook, to share information.

An e-commerce site: In order to process transactions, you store an address, phone number, credit card details and other financial information. Even if you use a third-party checkout, you still collect certain details and create login and password-protected sessions between your site and the customer. These types of transaction are more attractive to thieves, so reasonable protection of that data means higher levels of security.

A discussion forum or other sites dealing in highly sensitive information: Sites that record data like religious affiliation or medical records and criminal backgrounds have to take special care as they are dealing with sensitive personal data, a specific category within the Directive.

Understanding Basic SSL Certificates

What Is an SSL Certificate?

An SSL certificate is a digital computer file (or small piece of code) that has two specific functions:

Authentication and Verification:

The SSL certificate has information about the authenticity of certain details regarding the identity of a person, business or website, which it will display to visitors on your website when they click on the browser’s padlock symbol or trust mark (e.g., the Norton™ Secured Seal). The vetting criteria used by Certificate Authorities to determine if an SSL certificate should be issued is the most stringent with an Extended Validation (EV) SSL certificate; making it the most trusted SSL certificate available.

Data encryption:

The SSL certificate also enables encryption, which means that the sensitive information exchanged via the website cannot be intercepted and read by anyone other than the intended recipient.

In the same way that an identity document or passport may only be issued by the country’s government officials, an SSL certificate is most reliable when issued by a trusted Certificate Authority (CA). The CA has to follow very strict rules and policies about who may or may not receive an SSL certificate. When you have a valid SSL certificate from a trusted CA, there is a higher degree of trust by your customers, clients or partners.

Where Would I Use an SSL Certificate?

The short answer to this question is that you would use an SSL certificate anywhere that you wish to transmit information securely.

Here are some examples:

  • Securing communication between your website and your customer’s Internet browser.
  • Securing internal communications on your corporate intranet.
  • Securing email communications sent to and from your network (or private email address).
  • Securing information between servers (both internal and external).Introduction
  • Securing information sent and received via mobile devices.

Different types of SSL Certificates

There are a number of different SSL certificates on the market today.

  • The first type of SSL certificate is a self-signed certificate. As the name implies, this is a certificate that is generated for internal purposes and is not issued by a CA. Since the website owner generates their own certificate, it does not hold the same weight as a fully authenticated and verified SSL certificate issued by a CA.
  • A Domain Validated certificate is considered an entry-level SSL certificate and can be issued quickly. The only verification check performed is to ensure that the applicant owns the domain (website address) where they plan to use the certificate. No additional checks are done to ensure that the owner of the domain is a valid business entity.
  • A fully authenticated SSL certificate is the first step to true online security and confidence building. Taking slightly longer to issue, these certificates are only granted once the organization passes a number of validation procedures and checks to confirm the existence of the business, the ownership of the domain, and the user’s authority to apply for the certificate.
  • A domain name is often used with a number of different host suffixes. For this reason, you may employ a Wildcard certificate that allows you to provide full SSL security to any host of your domain – for example, host.your_domain.com (where “host” varies but the domain name stays constant).
  • Similar to a Wildcard certificate, but a little more versatile, the SAN (Subject Alternative Name) SSL certificate allows for more than one domain to be added to a single SSL certificate.
  • Code signing certificates are specifically designed to ensure that the software you have downloaded was not tampered with while en route. There are many cybercriminals who tamper with software available on the Internet. They may attach a virus or other malicious software to an innocent package as it is being downloaded. These certificates make sure that this doesn’t happen.
  • Extended Validation (EV) SSL certificates offer the highest industry standard for authentication and provide the best level of customer trust available. When consumers visit a website secured with an EV SSL certificate, the address bar turns green (in high-security browsers) and a special field appears with the name of the legitimate website owner along with the name of the security provider that issued the EV SSL certificate. It also displays the name of the certificate holder and issuing CA in the address bar. This visual reassurance has helped increase consumer confidence in e-commerce.

Tech Talk Made Simple encryption

Browser: A software program that you use to access the Internet. Examples include: Microsoft Internet Explorer (IE); Mozilla Firefox, Apple Safari, RockMelt, and Google Chrome

Conclusion

Trust makes all the difference in the world of online business. Investment in technology to protect customers and earn their trust is a critical success factor for any company that does business online or hosts an e-commerce website. The effective implementation of SSL certificates and correct placement and use of trust marks are proven tools in the establishment of customer trust.

With the acquisition of Symantec Authentication Services, Symantec is now the leading provider of SSL certificates globally, helping to assure customers that they are safe from searching, to browsing, to buying and signing in*. Symantec secures more than one million web servers worldwide, more than any other CA.* Symantec also secures over two-thirds of websites using Extended Validation SSL – including the biggest names in e-commerce and banking.* When you choose Symantec, you can rest assured that your website and your reputation are protected by the CA with a proven track record and the most recognized trust mark on the Internet.

For more information, visit us at SSLmarket.com.


Ing. Jindřich Zechmeister
TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)zoner.com