Is SSL Enough to Secure Your Website?

Date aired: July 31, 2018

It's a move we've seen coming since early 2017. Chrome HTTP sites are now officially being marked as 'not secure'. With Chrome dominating 62.85% of the browser market space as of last month means that even small changes can have a big impact on website owners if ignored.

Joshua Hammer

Sales Operations Manager

Josh is managing the sales chat team for Sucuri. When he is not reading about the newest hacks or delving into website security, he is at home playing boardgames with his family or video games with friends.

Questions & Answers

Question #1: Do I need an SSL?

Answer: SSL’s protect information in transit. Can you send your money to a bank in a Ford Pinto? Sure!, But an armored car is better. Do you need one? No. Should you have one? Yes. LetsEncrypt enables you to have a free SSL, so why not?

Question #2: What is this mixed content warning I get sometimes?

Answer: The mixed content warning is where somewhere in your site an image, link, or page is showing as HTTP instead of HTTPS, causing a mixed content. Tony did a fantastic blog post here on how to troubleshoot mixed content warnings

Question #3: I can't install a free SSL on my server. The host won't let me and I don't want to pay for the SSL, what do I do?

Answer: Well, you can go with a firewall that can help with a partial SSL. Of course, I will recommend ours :-). This will help with the Google rankings and Google Chrome issues but long-term, an SSL on the host is the best option.

Question #4: I have changed my server, or moved to a different provider, how do I move the certificate?

Answer: There are two parts to an SSL – the key and the .crt files. These two files are what you need to move with you. I apologize...in the webinar I called it a private and public key.

Question #5: What could be a good budget for SSL certificate for an agency?

Answer: As much as possible? Hard to say. Are you going with free LetsEncrypt SSL? Then just enough to pay the guy to install it. Going with Comodo is going to be a lot more.

Question #6: Browser is not showing the green padlock/green bar, what to do?

Answer: This is due to mixed content. Please see the above :-) or contact your host. They may be able to help :-)

See all Questions & Answers

Expand

Transcript

Name: Joshua Hammer - Title: Sales Operations Manager

Hey, my name's Josh once again. A little bit about me. I've been here with Sucuri for about four years now. I'm a sales operation manager. Happily married now for 15 years with two wonderful little girls. You know I love games, any kind of games, board games, video games, card games. Security's even a puzzle, so I look at it like a game, and I'm usually having fun. With that, let's get started.

What we're going to cover here in this webinar, we're going to go over the changes that Chrome has made, a little bit about what SSL is and whether or not SSL's enough to really secure the site. Reason we're talking about Chrome? They just made some changes and Chrome has a huge market share. If we turn around and we look at all the browsers out there, there's probably about 10 to 15 browsers. Chrome has a 59 or 60% share, while the other browsers are sharing or fighting for that other 40%. You've definitely got this monster that's at the top. We pulled these stats from StatCounter.com. I'm sure the link will be shared with you guys if you want to take a closer look.

What's this mean? That means there's one browser to rule them all, and that's Chrome. Chrome's recently made some changes. It's not a huge surprise to anybody that these changes came, but let's take a look at them. What Chrome is now doing is rather than just showing a website that's a HTTP site or HTTPS site, as just Example.com, it's showing as not secure Example.com. Then coming up in October, we're going to see that change again from not secure to a nice little exclamation point and not secure.

Most of our users, as we can guess, will look at that and go, "Oh, wait a second here, what's going on?" Users ask, "Well, is it safe?" Let's dig into that a little bit. Is it really safe? Is SSL enough to make a website secure? What is SSL? SSL stands for Secure Socket Layer. It's a way of encrypting information that's in transit between the site and the user. It ensures all the data passed between the web server and the user remain's private.

That's a mouthful, so let's break that down. We've got the main site here. This is your site. It's secure. Then you have the user that's using their browser. The SSL is that link in between, this little green line arrow here. That's your SSL. It's going both ways. What it does is it protects the information in transit. It's like an armored van. You've got the information. It goes in at the one site where they're picking up the money and it takes your data. It goes into the secure van. The van drives to the server and then drops off the information.

The thing is is the data safe inside the server? SSL has no way of knowing. Doesn't really care. It only cares about that information in transit. Your server could be a mess full with malware, SSL would still show you as secure on Chrome. Doesn't really care. Is the browser secure? Who knows. SSL just does not care. It just cares about that information in transit.

What do we do? There's a few things we can do. Obviously, we can go out and put SSL on all of our sites. Google would absolutely love that. There's other options too. We can get a firewall that has SSL. Giving an example, the Sucuri firewall, we put SSL on every single site that signs up through us. We use a Let's Encrypt technology. Now, that SSL is just on the firewall though. It's not on your individual server. As far as Google and the browser is concerned, you have HTTPS. It's using Let's Encrypt. It uses a partial SSL. The information between your browser and the firewall is secure, but then when the information from the firewall goes to the browser, it's [inaudible 00:07:09].

The other option is to use full SSL. This is where with the firewall, you've got the SSL on the firewall. Then you install a cert on the web server as well. The big question comes in is why the change? Does it help? How does it affect you? Why the change? SSL, it's been out there for a long time. It is a security standard. You should probably have SSL on your site nowadays just because, for one, it's free. You can go through Let's Encrypt and get a free SSL as long as your host allows you to install it. For two, even if you're a static page, SSL make sure the information coming is coming from the browser that sent the information, so you prevent those men in the middle tactics.

Why is it happening? There's been a lot of data breaches here in the not distant past. We've got GDPR that just went into effect, the credit bureau hacks not so long ago. Data is in the forefront of everybody's mind. Google's been ranking SSL higher for a while now. Like I said, it's not a real big surprise. Does it help? Sure it prevents the man in the middle attacks. The thing is though it doesn't really secure the site. I think this is where Google is taking a leap here. It's great that they're pushing for a more secure internet. That's fantastic. However, telling a user that the site is secure just because it has SSL, I think that does more harm than good. Now users are going to these sites going, "Oh, Google says it secure so it must be safe." It's just not true.

How does it affect you? Even if we have only 60% of the users on Chrome, which is a huge percentage, and if only 30% of them even notice the change, that's still 30% of that 60% user base that is going to take a second look at that site and go, "I don't think that's a good idea," and browse to a different site just because they have SSL.

I can see a hit in traffic coming to sites that are not HTTPS. It's just going to happen. Between that and Google ranking your site lower in the SSL, it's going to hurt website owners. It just is. That's really all I have. I do want to throw out some goodies out there. Being a sales manager, it's fun. I can throw stuff away. Raz, for being the first person to sign up to the webinar, I want to offer you a free year of website security under our WSS platform pro. I've got your email. I'll be shooting that out. Forgive me, I forget the name for the second person, but I am also going to give a little free one month of subscription for our second sign up, and I'll be emailing you as well. With that, any questions, comments, concerns or wisecracks, I'm here to listen to them all. Take it away.

See Full Transcript

Expand

Similar Past Webinars

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Webinar - Preventing Cross-Site Contamination for Beginners

Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it.....

Webinar - Fire Chat: Reactive and Proactive Protection for Web Agencies

In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face.....

Webinar - Security for Web Agencies

Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we....

Webinar - Beginner's Guide to CDN's

All content is not created equally. Reducing the time it takes for each piece of data to travel from the host server to the client will provide lower latency and a more optimized user experience. Ultimately, this helps avoid dropoffs in users as a result of extended load times.....