The short answer to the question, does using SSL make my website secure is NO, but it is important to understand why and what SSL actually does, so read on.
The biggest misconception by website owners is that an SSL certificate will make their website secure from hackers and malware, which is not true. This stems from a lack of understand about what makes a website secure versus not secure.
For example, since July 24th 2018, websites that do not use SSL certificates were marked “Not Secure” in the address bar of Google Chrome with other browsers such as Firefox, Microsoft Edge and Safari following suit soon after.
However, a website with an SSL certificate is not necessarily a “secure” website. SSL simply encrypts the data sent between the visitor and web server but does not actually protect the website itself from hackers or malware.
There is a lot more to making your website secure which website owners need to understand if they want a truly secure website. The SSL part only secures the traffic between client and server, nothing else.
What the “not secure” message in your browser is telling you, is that any data sent between you and the website is not encrypted, so could be intercepted by hackers and cyber criminals.
What Are SSL Certificates
SSL is the acronym for Secure Sockets Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser. SSL certificates have become a best practice in website security for good reason.
As mentioned above, any website not using SSL will display a warning that the site is “Not secure“ on all the up to date modern browsers, such as Chrome, Firefox, Microsoft edge and Safari.
SSL certificates help protect the integrity of the data in transit between the host (web server or firewall) and the client (web browser). They make sure no one is able to see or modify the data, what is known as a man-in-the-middle attack.
All types of SSL certificates verify the domain name of the website.
Let’s see the types of SSL certificates:
Domain Validated SSL Certificate (DV SSL)
DV SSL Certificates are the most popular SSL certificates on the Internet, even though they only validate the domain name.
Let’s Encrypt offers these kinds of certificates which are completely FREE and can be installed via CPANEL and is offered by most decent hosting providers. If your hosting provider does not offer letsencrypt and you do not want to pay for a premium SSL certificate, then you might want to consider switching to a provider like Guru.
Organization Validation SSL Certificate (OV SSL)
OV SSL Certificates require more documentation for a Certificate Authority to certify the organisation making the request is registered and legitimate.
These certificates will display the name of the organization if you click on the padlock that appears on the top left corner of a browser.
Premium Extended Validation SSL Certificates (EV SSL)
EV SSL Certificates require even more documentation for a Certificate Authority to validate the organization making the request. These certificates will be more visible because besides displaying the padlock in the address bar, they will also display the name of the organization.
The only feasible difference among these three certificates is their verification process. The technical security is the same for all. While the DV certificates only test ownership of the domain (by technical mediums), the OV and EV certificates will require actual paperwork in order to be issued.
At the end of the day, the day all SSL certificates encrypt data, and the average visitor to your website is going to be oblivious as to which you are using and only the most astute, security conscious and technically minded person will even think about checking your SSL certificate.
For the average website owner, a free Letsencrypt SSL will suffice. If you run an eCommerce website or a website that stores personal information that require PCI DSS and GDPR compliance, then you may want to consider a premium SSL certificate.
SSL Certificates do not protect you from Malware Infections
SSL certificates cannot protect a website from a malware infection, nor can they stop a website from spreading malware to its visitors.
Ironically, infected websites served over HTTPS will ensure the integrity of the malware until it reaches its potential victims, aka the website’s visitors.
A website’s padlock in the address bar does not mean the website is secured. It only means that the information between the website’s server and the browser is secured.
That is something both webmasters and Internet users need to be really mindful of.
It is important to make sure to force HTTPS after you install an SSL certificate on your website. If attackers compromise your site and link to malware assets over HTTP, browsers will display mixed content warnings.
What is Website Security?
There are no turnkey solutions to security; instead it’s a combination of people, processes, and technology that help create a manageable and scalable approach to security for any organization.
Defining website security is hard because it depends on the necessities of each organization. For example, a personal blog does not have the same concerns as an e-commerce store or the site of a web development agency.
Believing that a website is secure because it has implemented an SSL certificate leads to a false sense of security, which can be dangerous. A website with SSL is not secure if it does not have other layers of protection, such as a Website Application Firewall (WAF), or access controls. An HTTPS website could still be hacked and dangerous to visitors.
No matter if it is HTTP or HTTPS, if a website is infected with malware, some internet security companies can put warnings on it and in search results, letting everyone know that the site contains malicious code.
These are the top 10 blacklists:
- Google Safe Browsing
- Norton Safe Web
- Phish Tank
- SiteAdvisor McAfee
- Sucuri Malware Labs
- SpamHaus DBL
- Yandex (via Sophos)
What is the Difference between SSL and Website Security?
Website security is more comprehensive than HTTPS/SSL alone and should be treated as such. HTTPS/SSL is one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensure your visitors are safe if you do not take other actions to create a secure environment.
To keep your website secure, you need to perform actions such as:-
- Keeping you web application properly maintained and up to date. If you cannot do this yourself, hire someone to provide website management.
- Regularly scan your website for malware or hacks
your hosting provider should also be doing regular scans, but their scans may not pickup a hacked website
- Use a web application firewall such as Sucuri or Cloudlfare
- Install security plugins where applicable, such as Malcare or Wordfence for WordPress sites
- Use secure passwords and 2 factor authentication
To sum it up, in an HTTPS website, data in transit is protected, but the website itself can still be vulnerable.
Check out this webinar by Sucuri on how SSL differs from website security.
Security is not a constant. You need to invest time and resources to create a plan that fits your needs. HTTPS is great for the Internet as a whole because it helps keep communication secret between users and the websites they visit. SSL is what secures that data in transit only, not the website.
SSL certificates only account for a small piece of the website security puzzle.
I encourage website owners to think about website security holistically and consider leveraging a Website Security Platform like Sucuri that offers a complete suite of security controls: protection, detection, monitoring, and incident response.
If you need help with SSL, securing your website, website management or anything mentioned here
get in touch.
If you need help with anything mentioned in this article or other Web/IT related issues, then feel free to get in touch.