Saturday, December 12, 2015

Your Website: If you like it you should put an S on it


As I mentioned in my first post on this blog, I will be writing each month about security topics that will primarily interest business owners. I find now more than ever businesses and business owners are thinking about security, but they aren't sure where to get started. This post talks about one of the first places to start if you have or want to set up a business website.

Do You Have a Website?

When I help a new customer with their business, one of the first questions I ask is "Do you have a website?". Unless you don't want your business to be found (fewer people use the yellow pages these days), you really need to think about putting up a website. There are many great options for website hosting - I won't go into all of those today.

The next step is to determine how you want your customers to communicate or do business transactions with your business website. Will you create private client accounts? Will you process credit card transactions for purchases? Will you host your own company blog that will need to allow many people to log in? If you do any privacy-related business operations with your website, the next item you should consider is putting an S on that website.

Putting an S on your HTTP

As you may know, in order to navigate to a website you usually put in something like "www.your fabulous company.com" and don't think about the resulting website address at the top of the browser. But, take a look at the top address line on your browser. By default, each website uses either "HTTP://" or "HTTPS://" for the browser to know how to display your website. What's the difference between these two?

Essentially, the "HTTPS://" (notice the added "S") usage means your website is generally more secure than the alternative "HTTP://" usage. The "S" means the website is using encryption to send your, and especially your customers', data from the browser to the company website. By encrypting the data (encrypting is a means of encoding or changing a message so only the authorized parties can read it), you make sure no else can see your login credentials, your credit card information, or other sensitive and private data as it is being sent from your browser to the business website.

Without the usage of "HTTPS://", ALL data being sent from your browser to a website is sent in the clear and could potentially be read by other people on the internet.

Better Search Results and Building Customer Trust

On August 6, 2014, Google published a blog post titled "HTTPS as a ranking signal". In the post, Google indicated the importance of using HTTPS for encrypting data as part of their "HTTPS Everywhere" campaign. The post also mentioned when your website is using HTTPS, it will have a slightly better ranking in their search ranking algorithms. Remember what I said earlier about being found on the internet? We can all use an advantage like that.

Beyond the search engine rankings, the most important aspect of using HTTPS for your business website is building customer trust. More and more customers won't interact with your business website if it doesn't have the green padlock (one indication HTTPS is enabled in the browser address). This is especially true if they need to make a purchase using their credit card. Customers should and will also be wary of entering any kind of sensitive information into a website (login credentials or other sensitive data) unless that website is using HTTPS.

Getting it Right and Testing

Now that you know you should put an "S" on your business website, how do you make it happen? Not all HTTPS solutions are the same and you should be wary of someone selling you an HTTPS certificate without verifying your business information.  The key items needed for a good HTTPS solution are:

  • Determine if you need a single, multi-domain (more than one website), or a wildcard (many websites and sub-domains) certificate 
  • A strong 2048-bit key (at least) certificate 
  • Make sure to support TLS 1.1 or ideally TLS 1.2 (avoid TLS 1.0 and SSL 3.0 and below)
  • Make sure RC4 and other weak ciphers are not supported on your website hosting server
Understandably, that's a lot of technical information to parse through, but it is a good checklist to get you started in the right direction.

Once you have your HTTPS solution in place, or already have one, you can test the security level of your business website using the Qualys SSL Labs SSL Tool.  This test will indicate if you have the right levels of security as well as let you know if you should update your HTTPS certificate. Websites using older and outdated certificates will start to be penalized by Google in their search engine results starting in mid-2016. As the new year starts, now would be a great time to take a look and plan accordingly.

I hope this post has been helpful to you and your business in thinking more about security. If you have any questions or comments, please leave them below and I will be glad to help.

About Robert Hurlbut

Robert Hurlbut, owner of Robert Hurlbut Consulting Services, based in Enfield, CT, provides software security consulting, architecture, and training. This includes software development, threat modeling, secure code reviews, and other kinds of security audits for your company. If Robert can be of assistance to your company, please get in touch through the below contacts.

Web: https://roberthurlbut.com
LinkedIn: https://www.linkedin.com/in/roberthurlbut
Twitter: @RobertHurlbut

Upcoming security talk: Robert is speaking on January 12, 2016 on "How To Make Threat Modeling Work For You" at the Tech Valley .NET User Group meeting in Albany, NY.

2 comments:

  1. I had no idea, and had never paid any attention to the S or lack thereof. Thanks for the info about website security and Google rankings.

    ReplyDelete

Note: Only a member of this blog may post a comment.