Understanding the basics of website security

Warren Rodrigues

Website security is important; especially these days, with increasing attacks and injections. While there is an extensive list of factors that need to be covered, we'll go over the basics of encryption and security certificates in this blog post.

What is TLS / SSL?

As far as websites are concerned, TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that help secure communication between a server and your web browser. This means that data is encrypted when transferred between your browser and the website's server, preventing attackers from reading or modifying any information that is sent over this connection.

The whole process includes handshake, verification, encryption and decryption, which is fairly complex and I'm not going to go into those details here.

Also, note that SSL is deprecated as of June 2015. So what we're using right now is actually TLS.

What is an SSL certificate?

You may have heard or read about SSL certificates. These are actually certificates that can be used with either SSL or TLS, as they are not protocol dependent. They should probably be called SSL / TLS certificates.

Most of these certificates are used on servers with the TLS protocol. However, certificate vendors will probably continue using the term " SSL certificates" for a while, because people are more familiar with this term.

An SSL certificate is a file containing a digital signature that establishes the identity of your website. It should be issued by a trusted Certificate Authority. These Certificate Authorities are included as trusted root certificates by web browsers (Google's Chrome, Mozilla's Firefox, etc.). Your SSL certificate will typically include your domain name, name of the issuer, your public key and expiration date.

After installing an SSL certificate on your website, the address bar of the browser will show a padlock symbol next to the URL. For Extended Validation Certificates, the address turns green or shows your company name next to the URL.

What is HTTPS?

HTTPS (Hyper Text Transfer Protocol Secure) is an application protocol that you'll see in a URL when a website is secured by an SSL certificate. Without a certificate, you see the HTTP protocol. For example, HTTPS://www.google.com and HTTP://www.google.com

Do I need a TLS / SSL certificate for my website?

You should definitely use an SSL certificate if you want to accept any information from your website visitors, using a login form, registration form, enquiry form, etc.

Nowadays, it is considered good practice to always use an SSL certificate for your website, even if you do not accept any information from your visitors. This helps build user trust in your website and confirms that you take security and their privacy seriously.

With the growing number of MITM attacks and malware injections, it is getting more important to encrypt data between your website and your visitors, ensuring no one modifies the data that your website sends to your visitor and vice-versa.

Does SSL affect SEO and Google rankings?

Here's what Google says on their official Webmaster blog:

"Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal - affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content - while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web."

So, yes, anything that helps search engine rankings are things that I recommend doing.

Does SSL affect the speed of my website?

There are definitely additional computational costs when using encrypted communication. This means more processor and memory usage on the server and the client. A few years ago, there may have been a measurable delay when using HTTPS. However, newer servers with good configurations can handle the whole encryption process quite efficiently. HTTPS may cost you a little more cash, but it doesn't have to affect the speed of your website.

Types of certificates

There are a few types of certificates to choose from, depending on the level of security and trust needed.

  • Single Domain Validated Certificates
    A single domain validated certificate allows you to secure one domain name. For example, www.google.com. These come in a couple of variants:

    • Free certificates from Let's Encrypt or Comodo (via cPanel's AutoSSL)
      These certificates enable basic protection and trust for your website. However, they lack any kind of warranty that traditional certificates provide. They also have to be renewed every 90 days. Hosting providers may charge a fee for installing and using these certificates, due to the additional operating costs involved, including CPU and memory costs. These certificates can usually be installed in a day.

    • Private certificates from Comodo (or any other provider)
      These certificates are similar to Free certificates, but they can be purchased for 1 year, and up to 3 years at a time. They usually include a warranty starting at USD 10,000. These certificates can usually be installed in a day.

  • Wildcard Domain Validated Certificates
    A wildcard domain validated certificate allows you to secure multiple sub-domains of one main domain name. For example, *.google.com. These certificates can be purchased from a CA like Comodo, GeoTrust or any other trusted provider, for 1 year, and up to 3 years at a time. They usually include a warranty of USD 10,000; and can be installed in one day.

  • Extended Validation Certificates
    An extended validation certificate is the most advanced and secure certificate option available. They allow you to secure a single domain name, and require thorough validation of your domain name and your business. It can take upwards of 10 days to issue this certificate. At the end, you get the only certificate that turns the address bar green; or in newer versions of Chrome, it shows the name of the business next to the browser's address bar. Obviously, these are the most expensive certificates. They can be purchased for 1 or 2 years at a time. The warranty is usually very high. I've seen certificates with a warranty upwards of USD 1 million.

BONUS: Supporting old browsers that don't have SNI implementation

There's also the decision of whether you want to support really old browsers and operating systems, which increases your cost. All new browsers and operating systems support a protocol called Server Name Indication (SNI). SNI allows multiple domain names to be hosted on the same IP address and still have separate SSL certificates installed for each of the domains.

A few old browsers like, yes, you guessed right - Internet Explorer (any version) on Windows XP doesn't support SNI. Also, Internet Explorer 6 and earlier on Windows Vista doesn't support SNI. Other browsers that do not support SNI are:

  • Safari on Windows XP
  • Blackberry 7.1 and earlier
  • Android default browser on Gingerbread 2.x and earlier
  • Windows Mobile 6.5 and earlier

To support these older browsers, you need to buy a dedicated IP for each website. Since version 4 IPs are very scarce, they can be quite expensive.

All newer browsers support SNI. These include:

  • Internet Explorer 7 or newer, on Windows Vista or newer.
  • Mozilla Firefox 2.0 or newer
  • Opera 8.0 or newer (with TLS 1.1 protocol enabled)
  • Google Chrome (Windows Vista or newer, Windows XP requires Chrome 6 or newer, OS X 10.5.7 or newer requires Chrome 5.0.342.1 or newer)
  • Safari 2.1 or newer (Mac OS X 10.5.6 or newer)
  • MobileSafari for Apple iOS 4.0 or newer
  • Android default browser on Honeycomb 3.x or newer
  • Windows Phone 7 or newer
  • Blackberry 10 or newer

So, the question is - does the cost of paying for a dedicated IP for each of your websites justify the minuscule traffic you may receive from these old browsers?

Please enable Javascript to view this site properly.