The internet becomes a riskier place each day, and technology works to guard against incoming threats. In your browsing, you may have noticed that browsers will display a little icon, generally a lock or a warning, next to your URL search bar. Just what do these mean for website security, anyways?
To understand those little security icons and the SSL certificates that accompany them, we first have to understand basic encryption technology. Encryption is an old practice that has been in use since far before computers came around. It involves coding the message to be deciphered only with the correct key. Without the key, decoding or deciphering the message is nearly impossible. Encryption today applies this principle using mathematics and algorithms to make them far more advanced and nearly impossible to decode by chance or brute force.
When a website, software, text message, or any bit of information is encrypted, its information is scrambled according to an algorithm (often called “hashing”). It then generates a private key which, upon verification, can be used to decrypt and view or download the content.
SSLs: Secure Socket Layers.
Strictly speaking, SSLs were deprecated in 1999, and what we think of as SSLs today are actually TLSs (Transport Layer Security). However, it is still conventional to use the term “SSL” when referring to this technology. The SSL/TLS certificate applies encryption to a website.
Think of the certificate as a form of identity; just like you can show your ID or passport, a website can show its SSL certificate as verification of its identity. When you visit a secure website, it performs what is known as a “handshake.” Your browser, the client, will say “hello” to the server. It will provide its own encryption details. The website, or server, will then take and verify the credentials, provide its own certificate and say “hello” back. Once this is performed and both the client and server are happy, they are able to communicate securely over an encrypted channel: allowing you, the end user, to view the website privately.
How Secure is TLS/SSL technology?
End-to-end encryption is the most widely used and most secure technology available today. An algorithm is used to hash the data in a manner that is simple to randomly encrypt one way, but mathematically impossible to decrypt without the key. Well, strictly speaking, it is possible if you have all the time in the world, but unlikely. Even supercomputers would take years to brute force break an encryption; unless you get really, really, and we mean astronomically really, lucky.
However, it’s important to understand that end-to-end encryption through an SSL only applies to the actual content transfer. There are still security risks involved when it comes to website security and browsing online. Consider the following scenarios:
- A website has an SSL installed, but the actual server itself is not secured. A malicious attack need not transfer data through the encrypted site and could simply enter through a server’s unsecured backdoor.
- A website has an SSL installed, but the client isn’t secure. Did you unwittingly install a virus on your browser? The virus living in your client could view, alter, or corrupt information that is being securely transferred to it.
- A website’s security certificate was installed from a fraudulent or weak client authority. An SSL is only as secure as the certificate’s issuer. In this case, the certificate might be able to fool the client into establishing an unsecure connection. Think of it like a website getting into a bar with a fake ID (we know you’ve never done that!).
- You’re using an outdated SSL. As malicious threats evolve, so has encryption technology. Weak, outdated encryption methods used by outdated SSLs can create security risks.
Beyond Website Security: How Can I Stay Safe Online?
SSLs are a crucial piece of internet security. Without a layer of encryption between you and the server you’re vulnerable. But the SSLs are only a part of the picture. You have a responsibility as a user to safeguard your endpoint. Here are our best tips:
- Be mindful of the websites you visit. As much as 90% of phishing and ransomware scams still come through email. If you download or install a virus you put yourself at risk–regardless of the website’s security.
- Have an anti-virus software (and keep it up to date!). We are all vulnerable to scams and viruses. Machine learning is making viruses better at mimicking human behavior and tricking us into thinking they’re legit. An anti-virus software will provide a layer of security for the attacks you miss.
- Use a VPN. Masking your identity online isn’t just about privacy. There’s an old saying that if you have nothing to hide you should have nothing to fear. But the reality is we all have much to hide; not questionable behavior, but personal information that can leave us vulnerable. A VPN helps protect your identity while you’re online and can make it harder for hackers to steal your personal information.
- Go through reputable companies! As website developers we have a responsibility to keep our clients’ sites secured for both their own and their clients’ protection. You need to make sure you can trust your website developer to secure your site, and that you visit websites designed by reputable companies who will not neglect website security.
We hope this helps you understand that little lock icon at the top of your website! As one of the first internet marketing companies in Tacoma (and the greater Pacific Northwest) we’ve spent more than two decades watching the internet, encryption, and cybersecurity evolve. We firmly believe that to be successful online you need to be secure. Reach out to us, if you’d like to take your website security to the next level!