Is SSL Enough to Secure Your Website?

Name: Joshua Hammer – Title: Sales Operations Manager

Hey, my name’s Josh once again. A little bit about me. I’ve been here with Sucuri for about four years now. I’m a sales operation manager. Happily married now for 15 years with two wonderful little girls. You know I love games, any kind of games, board games, video games, card games. Security’s even a puzzle, so I look at it like a game, and I’m usually having fun. With that, let’s get started.

What we’re going to cover here in this webinar, we’re going to go over the changes that Chrome has made, a little bit about what SSL is and whether or not SSL’s enough to really secure the site. Reason we’re talking about Chrome? They just made some changes and Chrome has a huge market share. If we turn around and we look at all the browsers out there, there’s probably about 10 to 15 browsers. Chrome has a 59 or 60% share, while the other browsers are sharing or fighting for that other 40%. You’ve definitely got this monster that’s at the top. We pulled these stats from StatCounter.com. I’m sure the link will be shared with you guys if you want to take a closer look.

What’s this mean? That means there’s one browser to rule them all, and that’s Chrome. Chrome’s recently made some changes. It’s not a huge surprise to anybody that these changes came, but let’s take a look at them. What Chrome is now doing is rather than just showing a website that’s a HTTP site or HTTPS site, as just Example.com, it’s showing as not secure Example.com. Then coming up in October, we’re going to see that change again from not secure to a nice little exclamation point and not secure.

Most of our users, as we can guess, will look at that and go, “Oh, wait a second here, what’s going on?” Users ask, “Well, is it safe?” Let’s dig into that a little bit. Is it really safe? Is SSL enough to make a website secure? What is SSL? SSL stands for Secure Socket Layer. It’s a way of encrypting information that’s in transit between the site and the user. It ensures all the data passed between the web server and the user remain’s private.

That’s a mouthful, so let’s break that down. We’ve got the main site here. This is your site. It’s secure. Then you have the user that’s using their browser. The SSL is that link in between, this little green line arrow here. That’s your SSL. It’s going both ways. What it does is it protects the information in transit. It’s like an armored van. You’ve got the information. It goes in at the one site where they’re picking up the money and it takes your data. It goes into the secure van. The van drives to the server and then drops off the information.

The thing is is the data safe inside the server? SSL has no way of knowing. Doesn’t really care. It only cares about that information in transit. Your server could be a mess full with malware, SSL would still show you as secure on Chrome. Doesn’t really care. Is the browser secure? Who knows. SSL just does not care. It just cares about that information in transit.

What do we do? There’s a few things we can do. Obviously, we can go out and put SSL on all of our sites. Google would absolutely love that. There’s other options too. We can get a firewall that has SSL. Giving an example, the Sucuri firewall, we put SSL on every single site that signs up through us. We use a Let’s Encrypt technology. Now, that SSL is just on the firewall though. It’s not on your individual server. As far as Google and the browser is concerned, you have HTTPS. It’s using Let’s Encrypt. It uses a partial SSL. The information between your browser and the firewall is secure, but then when the information from the firewall goes to the browser, it’s [inaudible 00:07:09].

The other option is to use full SSL. This is where with the firewall, you’ve got the SSL on the firewall. Then you install a cert on the web server as well. The big question comes in is why the change? Does it help? How does it affect you? Why the change? SSL, it’s been out there for a long time. It is a security standard. You should probably have SSL on your site nowadays just because, for one, it’s free. You can go through Let’s Encrypt and get a free SSL as long as your host allows you to install it. For two, even if you’re a static page, SSL make sure the information coming is coming from the browser that sent the information, so you prevent those men in the middle tactics.

Why is it happening? There’s been a lot of data breaches here in the not distant past. We’ve got GDPR that just went into effect, the credit bureau hacks not so long ago. Data is in the forefront of everybody’s mind. Google’s been ranking SSL higher for a while now. Like I said, it’s not a real big surprise. Does it help? Sure it prevents the man in the middle attacks. The thing is though it doesn’t really secure the site. I think this is where Google is taking a leap here. It’s great that they’re pushing for a more secure internet. That’s fantastic. However, telling a user that the site is secure just because it has SSL, I think that does more harm than good. Now users are going to these sites going, “Oh, Google says it secure so it must be safe.” It’s just not true.

How does it affect you? Even if we have only 60% of the users on Chrome, which is a huge percentage, and if only 30% of them even notice the change, that’s still 30% of that 60% user base that is going to take a second look at that site and go, “I don’t think that’s a good idea,” and browse to a different site just because they have SSL.

I can see a hit in traffic coming to sites that are not HTTPS. It’s just going to happen. Between that and Google ranking your site lower in the SSL, it’s going to hurt website owners. It just is. That’s really all I have. I do want to throw out some goodies out there. Being a sales manager, it’s fun. I can throw stuff away. Raz, for being the first person to sign up to the webinar, I want to offer you a free year of website security under our WSS platform pro. I’ve got your email. I’ll be shooting that out. Forgive me, I forget the name for the second person, but I am also going to give a little free one month of subscription for our second sign up, and I’ll be emailing you as well. With that, any questions, comments, concerns or wisecracks, I’m here to listen to them all. Take it away.