Security is one of the most important considerations for anyone setting up a brick-and-mortar store. You have to put in place adequate measures to protect your customers, employees, merchandise, money, assets, and reputation. It’s not any different for a website. An insecure site is vulnerable to a wide range of threats — even more than a physical store. SSL (Secure Socket Layer) and its successor TLS (Transport Layer Security) have proven to be one of the most effective means of protecting a website. So integral to online security has SSL/TLS become that leading browsers such as Google Chrome will flag a site as insecure if it runs on HTTP and not HTTPS. More than 70 percent of pages loaded on Google Chrome are secured by SSL/TLS, a phenomenal statistic when you consider that only a tiny fraction of websites were SSL/TLS-secured just a decade ago.
There’s wide consensus on the benefits of SSL/TLS. Nevertheless, there are drawbacks. Not as much attention has been given to SSL/TLS disadvantages, which has seen many businesses that implement SSL/TLS get caught off-guard by the downside. So, while SSL/TLS makes a website more secure, it’s important that you recognize the potential disadvantages. That way, you can establish the appropriate mitigating measures in advance.
SSL/TLS may make your site much more secure from an attack. Nevertheless, it does have vulnerabilities, especially the older SSL versions that preceded TLS. It also matters how SSL/TLS is implemented. Many attacks on SSL/TLS have centered on exploiting implementation gaps. Some have, however, broken through a site’s defenses by harnessing known SSL flaws.
For instance, the POODLE vulnerability takes advantage of SSL 3.0’s tendency to ignore padding bytes when running in CBC (cipher block chaining) mode. TLS is more secure than SSL but ultimately, it’s technology so it has and will have its own flaws.
What all this means is that having SSL/TLS isn’t a license for websites to be complacent in the assumption that all their security problems are gone.
SSL/TLS extends the time it takes for web pages to load on a browser. When a browser first connects to an SSL/TLS-secured web server, a secure session is initiated by the client computer and web server. This preliminary process involves an elaborate back-and-forth handshaking procedure that eventually leads to a secure connection. With the connection established, both the client computer and the webserver have to encrypt and decrypt information before it’s readable on either end of the communication.
The degradation in speed is relatively small especially if the webserver and client computer have good processor speeds, the site doesn’t have much user traffic, or if the Internet connection is fast. That isn’t the case, though, when there is high visitor traffic or lower spec computing resources. SSL/TLS can therefore significantly lengthen the length of time it takes for a web page to load completely.
SSL/TLS allows the client computer and webserver to decide what form of encryption they’d like to use for the connection. Many of the encryption standards supported by SSL/TLS are extremely robust and secure. However, SSL/TLS will allow a misconfigured server or outdated software to select an encryption method that falls far short of the level of protection required for modern threats.
Worse still, the person visiting the website may not even realize that they are connected via a below-par encryption standard. As long as the connection is under SSL/TLS, their browser will mark the communication as secure even though it might not be difficult for a knowledgeable attacker to break through.
Many experts recommend that once you implement SSL/TSL on your site, you ought to remove and re-add the website from (or alter the address on) Google’s Webmaster Tools. Submit a fresh sitemap to force a re-indexing of the website now with the new HTTPS URLs. While this action is important in getting your web pages accurately indexed, it may result in a sharp drop in search traffic.
Chances are that this is a short-term problem and eventually, the numbers will edge upwards toward their previous levels. There’s no guarantee that will happen quickly, though. So, you may have to brace for lower traffic than before. For a business, that could mean a decline in sales.
If your website depends on multiple plugins, you may run into problems if you apply SSL/TSL across your entire site. Many older plugin versions weren’t built with an HTTPS transition in mind.
That could lead to multiple errors that can only be resolved by either updating the plugin to the latest version, contacting the plugin developer directly for a patch, completely removing the plugin, or replacing it with an alternative plugin that would serve the same purpose.
Some social share plugins depend on insecure URLs for their various popup boxes. When these insecure popups are used on a site secured by SSL/TSL, they can prevent the social icons from displaying for users, cause content errors, or trigger browser page security warnings.
Even when the user has the ability to continue with the process, the security warnings and content errors would create some apprehension about the overall quality of the website. Therefore, if nothing else, this can damage your site’s reputation and, unless corrected quickly, lead to a steady decline in traffic.
The social share plugin problem we’ve discussed is just one example of mixed-mode challenges. When browsing an SSL/TLS-secured site, you may come across a warning that the website is serving nonsecure content. This was an especially big problem with ad networks in the past, though much less so today.
Usually, it’s not because the website is deceitful, misleading, or generally up to no good. Rather, it’s a result of loading assets from services and sites that aren’t encrypted. The web browser, in the spirit of full transparency, will want users to know that they cannot fully bank on the SSL/TLS because of a chink in the armor.
Setting up SSL/TLS on your site isn’t free. SSL/TLS certificate authorities have had to establish the required infrastructure to verify your identity. As for-profit entities, it’s only natural that they’d need to recoup this cost. You can, of course, make your own SSL/TLS certificates but as an unknown entity without an established reputation, it will be difficult to convince other sites to trust you.
While increased competition in the SSL/TLS industry has slashed prices drastically over the years, you still have to pay for the service. The actual amount you pay will depend on the number of domains and subdomains the SSL/TSL certificate will cover as well as the degree of identity verification.
The advantages of SSL/TLS far outweigh the demerits. Anyone who visits your site and sees that green padlock on the address bar will understand that you take site security seriously. This gives them the confidence to proceed with their transaction, data input, and browsing. Nevertheless, it’s critical that you recognize the disadvantages, too, if you want to extract maximum value from moving your website to SSL/TLS.
Featured image: Pixabay
Setting PowerShell execution policies at the Group Policy level can greatly enhance your organization’s security.…
Ah, the good old days — when Exchange 2010 was king. But with each new…
The GDPR and the CCPA are both aimed at protecting privacy. Although many similarities exist…
Azure DevOps is fast becoming the next big thing. This Azure DevOps Quick Tip shows…
That old messaging platform has served you well, but maybe it’s time to move on.…