What are the potential disadvantages of SSL/TLS?

Security is one of the most important considerations for anyone setting up a brick-and-mortar store. You have to put in place adequate measures to protect your customers, employees, merchandise, money, assets, and reputation. It’s not any different for a website. An insecure site is vulnerable to a wide range of threats — even more than a physical store. SSL (Secure Socket Layer) and its successor TLS (Transport Layer Security) have proven to be one of the most effective means of protecting a website. So integral to online security has SSL/TLS become that leading browsers such as Google Chrome will flag a site as insecure if it runs on HTTP and not HTTPS. More than 70 percent of pages loaded on Google Chrome are secured by SSL/TLS, a phenomenal statistic when you consider that only a tiny fraction of websites were SSL/TLS-secured just a decade ago.

There’s wide consensus on the benefits of SSL/TLS. Nevertheless, there are drawbacks. Not as much attention has been given to SSL/TLS disadvantages, which has seen many businesses that implement SSL/TLS get caught off-guard by the downside. So, while SSL/TLS makes a website more secure, it’s important that you recognize the potential disadvantages. That way, you can establish the appropriate mitigating measures in advance.

1. SSL/TLS has vulnerabilities

SSL/TLS may make your site much more secure from an attack. Nevertheless, it does have vulnerabilities, especially the older SSL versions that preceded TLS. It also matters how SSL/TLS is implemented. Many attacks on SSL/TLS have centered on exploiting implementation gaps. Some have, however, broken through a site’s defenses by harnessing known SSL flaws.

For instance, the POODLE vulnerability takes advantage of SSL 3.0’s tendency to ignore padding bytes when running in CBC (cipher block chaining) mode. TLS is more secure than SSL but ultimately, it’s technology so it has and will have its own flaws.

What all this means is that having SSL/TLS isn’t a license for websites to be complacent in the assumption that all their security problems are gone.

2. Speed degradation

SSL/TLS extends the time it takes for web pages to load on a browser. When a browser first connects to an SSL/TLS-secured web server, a secure session is initiated by the client computer and web server. This preliminary process involves an elaborate back-and-forth handshaking procedure that eventually leads to a secure connection. With the connection established, both the client computer and the webserver have to encrypt and decrypt information before it’s readable on either end of the communication.

The degradation in speed is relatively small especially if the webserver and client computer have good processor speeds, the site doesn’t have much user traffic, or if the Internet connection is fast. That isn’t the case, though, when there is high visitor traffic or lower spec computing resources. SSL/TLS can therefore significantly lengthen the length of time it takes for a web page to load completely.

3. Allows insecure encryption

SSL/TLS allows the client computer and webserver to decide what form of encryption they’d like to use for the connection. Many of the encryption standards supported by SSL/TLS are extremely robust and secure. However, SSL/TLS will allow a misconfigured server or outdated software to select an encryption method that falls far short of the level of protection required for modern threats.

Worse still, the person visiting the website may not even realize that they are connected via a below-par encryption standard. As long as the connection is under SSL/TLS, their browser will mark the communication as secure even though it might not be difficult for a knowledgeable attacker to break through.

4. Drop in traffic

Many experts recommend that once you implement SSL/TSL on your site, you ought to remove and re-add the website from (or alter the address on) Google’s Webmaster Tools. Submit a fresh sitemap to force a re-indexing of the website now with the new HTTPS URLs. While this action is important in getting your web pages accurately indexed, it may result in a sharp drop in search traffic.

Chances are that this is a short-term problem and eventually, the numbers will edge upwards toward their previous levels. There’s no guarantee that will happen quickly, though. So, you may have to brace for lower traffic than before. For a business, that could mean a decline in sales.

5. Plugin problems

If your website depends on multiple plugins, you may run into problems if you apply SSL/TSL across your entire site. Many older plugin versions weren’t built with an HTTPS transition in mind.

That could lead to multiple errors that can only be resolved by either updating the plugin to the latest version, contacting the plugin developer directly for a patch, completely removing the plugin, or replacing it with an alternative plugin that would serve the same purpose.

6. Insecure social share plugins

Some social share plugins depend on insecure URLs for their various popup boxes. When these insecure popups are used on a site secured by SSL/TSL, they can prevent the social icons from displaying for users, cause content errors, or trigger browser page security warnings.

Even when the user has the ability to continue with the process, the security warnings and content errors would create some apprehension about the overall quality of the website. Therefore, if nothing else, this can damage your site’s reputation and, unless corrected quickly, lead to a steady decline in traffic.

7. Mixed modes challenges

The social share plugin problem we’ve discussed is just one example of mixed-mode challenges. When browsing an SSL/TLS-secured site, you may come across a warning that the website is serving nonsecure content. This was an especially big problem with ad networks in the past, though much less so today.

Usually, it’s not because the website is deceitful, misleading, or generally up to no good. Rather, it’s a result of loading assets from services and sites that aren’t encrypted. The web browser, in the spirit of full transparency, will want users to know that they cannot fully bank on the SSL/TLS because of a chink in the armor.

8. Cost SSL/TLS disadvantages

Setting up SSL/TLS on your site isn’t free. SSL/TLS certificate authorities have had to establish the required infrastructure to verify your identity. As for-profit entities, it’s only natural that they’d need to recoup this cost. You can, of course, make your own SSL/TLS certificates but as an unknown entity without an established reputation, it will be difficult to convince other sites to trust you.

While increased competition in the SSL/TLS industry has slashed prices drastically over the years, you still have to pay for the service. The actual amount you pay will depend on the number of domains and subdomains the SSL/TSL certificate will cover as well as the degree of identity verification.

SSL/TLS still the best alternative

The advantages of SSL/TLS far outweigh the demerits. Anyone who visits your site and sees that green padlock on the address bar will understand that you take site security seriously. This gives them the confidence to proceed with their transaction, data input, and browsing. Nevertheless, it’s critical that you recognize the disadvantages, too, if you want to extract maximum value from moving your website to SSL/TLS.

Featured image: Pixabay

Stephen M.W.

Stephen regularly writes about technology, business continuity, compliance and project management. He's worked with companies such as Canva.com, EnergyCentral.com, and Citibank.

Share
Published by
Stephen M.W.

Recent Posts

Locking down your Exchange server with cipher suites

Cipher suites are a set of algorithms you need to secure your environment, either by using SSL and TLS. Here’s…

2 hours ago

AI cyber risks: What to look out for when deploying AI technology

Artificial intelligence has greatly improved modern life. But businesses must recognize that AI cyber risks exist and take appropriate measures.

19 hours ago

Review: Office 365 synchronizing and administration tool CiraSync

CiraSync offers an enterprise solution for syncing global address list contacts and calendars to smartphones and other mobile devices. Here’s…

23 hours ago

HIPAA IT compliance: Privacy and security rules you must know

HIPAA is the mandatory health regulation that must be followed strictly. But if you’re an IT pro in the health-care…

1 day ago

Exchange in-place upgrade? Sorry, folks, just say no!

An Exchange in-place upgrade would be a dream come true. But if you try it, you will find yourself trapped…

2 days ago

Thinkful educational website experiences data breach

Online learning platform Thinkful just got a lesson in online dangers. The company reported a data breach that affected all…

2 days ago