Is SSL Enough to Secure Your Website?
Date aired: July 31, 2018
It’s a move we’ve seen coming since early 2017. Chrome HTTP sites are now officially being marked as ‘not secure’. With Chrome dominating 62.85% of the browser market space as of last month means that even small changes can have a big impact on website owners if ignored.
Sales Operations Manager
Josh is managing the sales chat team for Sucuri. When he is not reading about the newest hacks or delving into website security, he is at home playing boardgames with his family or video games with friends.
Questions & Answers
Question #1: Do I need an SSL?
Answer: SSL’s protect information in transit. Can you send your money to a bank in a Ford Pinto? Sure!, But an armored car is better. Do you need one? No. Should you have one? Yes. LetsEncrypt enables you to have a free SSL, so why not?
Question #2: What is this mixed content warning I get sometimes?
Answer: The mixed content warning is where somewhere in your site an image, link, or page is showing as HTTP instead of HTTPS, causing a mixed content. Tony did a fantastic blog post here on how to troubleshoot mixed content warnings
Question #3: I can’t install a free SSL on my server. The host won’t let me and I don’t want to pay for the SSL, what do I do?
Answer: Well, you can go with a firewall that can help with a partial SSL. Of course, I will recommend ours :-). This will help with the Google rankings and Google Chrome issues but long-term, an SSL on the host is the best option.
Question #4: I have changed my server, or moved to a different provider, how do I move the certificate?
Answer: There are two parts to an SSL – the key and the .crt files. These two files are what you need to move with you. I apologize…in the webinar I called it a private and public key.
Question #5: What could be a good budget for SSL certificate for an agency?
Answer: As much as possible? Hard to say. Are you going with free LetsEncrypt SSL? Then just enough to pay the guy to install it. Going with Comodo is going to be a lot more.
Question #6: Browser is not showing the green padlock/green bar, what to do?
Answer: This is due to mixed content. Please see the above 🙂 or contact your host. They may be able to help 🙂
See all Questions & AnswersExpand
Name: Joshua Hammer – Title: Sales Operations Manager
Hey, my name’s Josh once again. A little bit about me. I’ve been here with Sucuri for about four years now. I’m a sales operation manager. Happily married now for 15 years with two wonderful little girls. You know I love games, any kind of games, board games, video games, card games. Security’s even a puzzle, so I look at it like a game, and I’m usually having fun. With that, let’s get started.
What we’re going to cover here in this webinar, we’re going to go over the changes that Chrome has made, a little bit about what SSL is and whether or not SSL’s enough to really secure the site. Reason we’re talking about Chrome? They just made some changes and Chrome has a huge market share. If we turn around and we look at all the browsers out there, there’s probably about 10 to 15 browsers. Chrome has a 59 or 60% share, while the other browsers are sharing or fighting for that other 40%. You’ve definitely got this monster that’s at the top. We pulled these stats from StatCounter.com. I’m sure the link will be shared with you guys if you want to take a closer look.
What’s this mean? That means there’s one browser to rule them all, and that’s Chrome. Chrome’s recently made some changes. It’s not a huge surprise to anybody that these changes came, but let’s take a look at them. What Chrome is now doing is rather than just showing a website that’s a HTTP site or HTTPS site, as just Example.com, it’s showing as not secure Example.com. Then coming up in October, we’re going to see that change again from not secure to a nice little exclamation point and not secure.
Most of our users, as we can guess, will look at that and go, “Oh, wait a second here, what’s going on?” Users ask, “Well, is it safe?” Let’s dig into that a little bit. Is it really safe? Is SSL enough to make a website secure? What is SSL? SSL stands for Secure Socket Layer. It’s a way of encrypting information that’s in transit between the site and the user. It ensures all the data passed between the web server and the user remain’s private.
That’s a mouthful, so let’s break that down. We’ve got the main site here. This is your site. It’s secure. Then you have the user that’s using their browser. The SSL is that link in between, this little green line arrow here. That’s your SSL. It’s going both ways. What it does is it protects the information in transit. It’s like an armored van. You’ve got the information. It goes in at the one site where they’re picking up the money and it takes your data. It goes into the secure van. The van drives to the server and then drops off the information.
The thing is is the data safe inside the server? SSL has no way of knowing. Doesn’t really care. It only cares about that information in transit. Your server could be a mess full with malware, SSL would still show you as secure on Chrome. Doesn’t really care. Is the browser secure? Who knows. SSL just does not care. It just cares about that information in transit.
What do we do? There’s a few things we can do. Obviously, we can go out and put SSL on all of our sites. Google would absolutely love that. There’s other options too. We can get a firewall that has SSL. Giving an example, the Sucuri firewall, we put SSL on every single site that signs up through us. We use a Let’s Encrypt technology. Now, that SSL is just on the firewall though. It’s not on your individual server. As far as Google and the browser is concerned, you have HTTPS. It’s using Let’s Encrypt. It uses a partial SSL. The information between your browser and the firewall is secure, but then when the information from the firewall goes to the browser, it’s [inaudible 00:07:09].
The other option is to use full SSL. This is where with the firewall, you’ve got the SSL on the firewall. Then you install a cert on the web server as well. The big question comes in is why the change? Does it help? How does it affect you? Why the change? SSL, it’s been out there for a long time. It is a security standard. You should probably have SSL on your site nowadays just because, for one, it’s free. You can go through Let’s Encrypt and get a free SSL as long as your host allows you to install it. For two, even if you’re a static page, SSL make sure the information coming is coming from the browser that sent the information, so you prevent those men in the middle tactics.
Why is it happening? There’s been a lot of data breaches here in the not distant past. We’ve got GDPR that just went into effect, the credit bureau hacks not so long ago. Data is in the forefront of everybody’s mind. Google’s been ranking SSL higher for a while now. Like I said, it’s not a real big surprise. Does it help? Sure it prevents the man in the middle attacks. The thing is though it doesn’t really secure the site. I think this is where Google is taking a leap here. It’s great that they’re pushing for a more secure internet. That’s fantastic. However, telling a user that the site is secure just because it has SSL, I think that does more harm than good. Now users are going to these sites going, “Oh, Google says it secure so it must be safe.” It’s just not true.
How does it affect you? Even if we have only 60% of the users on Chrome, which is a huge percentage, and if only 30% of them even notice the change, that’s still 30% of that 60% user base that is going to take a second look at that site and go, “I don’t think that’s a good idea,” and browse to a different site just because they have SSL.
I can see a hit in traffic coming to sites that are not HTTPS. It’s just going to happen. Between that and Google ranking your site lower in the SSL, it’s going to hurt website owners. It just is. That’s really all I have. I do want to throw out some goodies out there. Being a sales manager, it’s fun. I can throw stuff away. Raz, for being the first person to sign up to the webinar, I want to offer you a free year of website security under our WSS platform pro. I’ve got your email. I’ll be shooting that out. Forgive me, I forget the name for the second person, but I am also going to give a little free one month of subscription for our second sign up, and I’ll be emailing you as well. With that, any questions, comments, concerns or wisecracks, I’m here to listen to them all. Take it away.
See Full TranscriptExpand
Similar Past Webinars
In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Webinar – 2022 Website Threat Report Webinar
Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.
Webinar – Virtual Patching Webinar
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
Webinar – Hacked Website Threat Report 2021
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
Webinar – Logs: Understanding Them to Better Manage Your WordPress Site
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
Webinar – Personal Online Privacy
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Webinar – Why Do Hackers Hack?
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
Webinar – WAF (Firewall) and CDN Feature Benefit Guide
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Webinar – Preventing Cross-Site Contamination for Beginners
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
Webinar – Getting Started with Sucuri!
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Webinar – How to Account for Security with Customer Projects
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..