As of March 12, 2019, there were nearly 1.7 billion websites and 44,730 were hacked on that date, according to Internet Live Stats.
Like most statistics, there is usually more to the numbers below the surface. At first glance, we see many sites were hacked, but still a small number relative to the total number of websites. It’s been estimated that approximately 75 percent of “websites” are parked domains or something similar. This means that the approximate true number of websites is 418,101,494, which makes that 44,730 number much more of a concern. Secure Sockets Layer (SSL) was developed and introduced by Netscape in February 1995 to secure communications between clients and server applications over an unprotected network, yet only 48.6 percent of websites are using the related HTTPS by default, according to W3Techs. With the threat of your website being hacked, why aren’t more organizations adopting this protective measure?
My site doesn’t have any sensitive information.
When someone fills out a form on your website, those details can be stolen easily, if SSL is not enabled and configured properly. This conundrum isn’t limited to credit card details for online purchase. It can also include simple contact forms that you may be responsible for under privacy laws such as the European Union (EU)’s General Data Protection Regulation (GDPR). If a prospect or client submits a form on your website to contact you about anything and their privacy is then jeopardized, your organization can be held legally responsible, even if you are not in the EU and don’t conduct business in the EU. (If you have even one employee in the EU, you could be held accountable.)
It’s possible for scripts to be injected before your visitor receives the content from your website. These scripts can accomplish a variety of tasks including changing the content delivered, such as including ads and inserting images. To the visitor, it might appear that the additional content was approved by you, which could damage your reputation. Protect your brand by adding an SSL certificate to your website.
You’re still not convinced.
Phishing attacks typically happen through emails that include links to what appears to be legitimate websites. The emails will appear to come from a trusted person or from a trusted service provider such as Amazon, PayPal or any other site you might have liked on Facebook, Twitter, LinkedIn, etc. Your browsing history and other data are being bought, sold and shared without your knowledge, so it’s only a matter of time before you’re faced with a phishing email.
Having an SSL certificate on your website combined with properly HTTPS protocol enables browsers to display a lock icon next to your website’s URL in the address bar. Training yourself, employees, customers, family and friends to look for this lock icon can help cut down on phishing attacks by helping them verify that the site visiting is legitimate. It’s not fool-proof, but it is a step closer to safer browsing.
Which SSL certificate should I choose?
The three main types of SSL certificates available include:
- Domain Validated (DV) – The certificate is validated against the domain portion of your web address.
- Organization Validated (OV) – The certificate is validated by a real person against a registry database hosted by a government.
- Extended Validation (EV) – Validation is the same method as the OV certificate, but also requires additional information such as a letter from your CPA, Dun & Bradstreet number, physical location verification, etc.
So which is best for your website? Two factors to consider here include:
- The different levels of validation may improve the level of trust established with your website visitors.
- The certificates typically all provide the same levels of encryption.
The first is the level of trust with the business and the second is the level of trust with the data to and from the website. The more validation you request, the higher the cost, which can vary dramatically. Consider this like putting up obstacles for thieves to have to hurdle.
For a non-ecommerce site or one that does not collect sensitive information, a Domain Validated (DV) certificate should be sufficient. E-Commerce and other sites that collect sensitive information should opt for at least an Organization Validated (OV) certificate. For instance, an online retailer would likely need this type. Depending on the degree of trust required between you and your customers, an Extended Validation (EV) certificate may be required. For example, a bank would likely need this level of certificate.
Does It Matter Where I Get My SSL Certificate?
Most web hosts offer SSL certificates either included with your hosting or as an add-on service. WP Engine includes a free SSL certificate with its hosting packages, while GoDaddy.com offers SSL certificates as an add-on or standalone product. Other web hosts may include a free SSL certificate for the first year only, while WP Engine includes the SSL certificate for the life of the hosting account. Beyond pricing options, not all SSL certificates are created equal, so it is still important to carefully select the right provider of the SSL certificate.
In the table below, three SSL certificates are compared along with their Qualsys SSL Labs grade. “SSL Labs first launched in 2009, its main goal being to provide comprehensive diagnostics of SSL/TLS and PKI configuration issues.”
|Certificate Issuer||Key||SSL Labs Grade||Cost|
|TrustWave||RSA 2048 bits||B||$99|
|CloudFlare||EC 256 bits||A+||$0|
|Let’s Encrypt||RSA 2048 bits||A||$0|
NOTE: This comparison shows that paying more doesn’t always mean you get more.
Qualsys SSL Labs Grading Summary
- A+ – exceptional configuration
- A – strong commercial security
- B – adequate security with modern clients, with older and potentially obsolete crypto used with older clients; potentially smaller configuration problems
One of the many diagnostics provided by Qualsys SSL labs is discovery of the encryption key type and level provided by the SSL certificate. According to Wikipedia “a 256-bit elliptic curve public key should provide comparable security to a 3072-bit RSA public key”. As shown in the table above, the certificate with “EC 256 bits” received the highest grade. There are many factors that play into the grading system and it’s important to be aware of how well the certificate is being implemented at the certificate host and website.
Why Pay for an SSL Certificate When I Can Get One for Free?
There are times when paying for an SSL certificate is necessary, such as when you need an OV or EV certificate. Additionally, some web hosts don’t play well with SSL certificates that aren’t issued by them since SSL certificates may be a source of income for the web hosts. Still, some hosts that provide SSL certificates for free choose to do so out of a desire to make the Internet a better place.
Does the certificate auto-renew or do I have to manually renew it periodically? Most hosts support auto-renewal, but there are some that do not. This can be a problem by being one more thing on your to-do list to keep up with.
Do I need to protect a single domain, wildcard domain or multi-domain?
If you only need to protect one domain such as www.yourdomain.com, then a single SSL certificate will be sufficient. Wildcard SSL certificates protect multiple subdomains such as techsupport.yourdomain.com or events.yourdomain.com. If you have more than one registered domain ending in .com, .net and .org for example, then you’ll need to obtain a certificate for each variation.
Does the certificate support TLS 1.3?
TLS 1.3 provides the highest level of protection currently available. Additionally, TLS 1.3 delivers improved performance over previous versions. TLS 1.3 is fairly new so many hosts don’t yet support it, but it’s good not to settle for anything less.
Organizations typically invest thousands of dollars into the initial build of their websites and the ongoing maintenance. Make sure your organization has the right SSL certificate to meet your business’ needs, while protecting your website users and your business.