Define SSL … For The Layperson
Let’s define SSL, which stands for Secure Socket Layers. Typically, when you look at a web page URL in your browser you see HTTP://www.URL.com. The ‘HTTP’ stands for ‘HyperText Transfer Protocol’ and that’s techie- speak for ‘how information is shared between a person’s browser and the website server, Better yet, it is the connection someone makes via browser to your website.
Now add an ‘S’ to make that HTTPS://www.URL.com and you have ‘HyperText Transfer Protocol Secure’, which encrypts information shared between the browser and website server. ‘SSL’ or that ‘S’ is the standard technology for establishing a secure connection between a human’s browser and the website server.
This kind of security became particularly relevant in 2014 when the ‘Heartbleed bug‘ became public knowledge. It allowed nefarious people (= hackers or spies) to listen in on traffic; it enabled an ability to read the data exchanged. The bug was patched, but the incident determined that encrypting user information over the internet was & is necessary. Google feels that it should NOT be an option because SSL protects all website visitors. In some cases, it protects YOU when logging in to your own website!
SSL is not website security, for instance where firewalls identify nefarious IP addresses and block them from visiting the site. No, SSL only protects the web visitors’ connection from the browser to the website.
But What Does SSL Really Do?
When the link between browser and website server is ‘SSL’ it ensures that all information passed between the two remain private. When a page is only ‘HTTP:’ it is possible that third party computers can get between a browser and website connection and see the information exchanged. A huge issue, for instance, if a visitor to a website is passing sensitive data like credit card information into a purchase form. When SSL is used the information becomes encrypted or unreadable to all but the website host server receiving the information.
Why Is Google After Us All To SSL Our Website Pages?
Nowadays Google’s Chrome browser adds an icon upper left to distinguish sites with SSL from those without. Some would argue the folks at Google are doing their best to inform and motivate safety online. Others would argue keeping everyone safe is good for Google’s business. It’s likely that no one would argue that safety online is anything but good; so the question becomes how to motivate website owners to set about protecting their visitors?! Solution: try the insecure icon (i) Google Chrome now uses to point out that a site is not HTTPS:// in order to help motivate these same website owners. And certainly, it is good for those of us who’d like to use the Internet without concern for our own information theft.
And so Google’s influence has become a driving factor in SSL adoption. Especially because they announced it was going to add the use of SSL as a ranking signal for comparing website pages. They didn’t say where the weight of the signal sits in what is universally believed to be as many as 200 ranking signals, but we can probably assume (at least) for E-Commerce websites it’s high. For the balance of websites maybe not so much yet, BUT if not it is going to become highly weighted for all sites soon.
Detail: starting in 2017 Google Chrome (the browser) is adding a prominent locked icon (upper left) to its browser for when a page is ‘HTTPS’, regardless of whether or not it is e-commerce capable. When not, the icon says “insecure”. There are a number of different SSL certificates you can choose from, some determined by need, some related to hosting and each offers various levels of trust at different costs with varied execution requirements.
Will SSL Suffice So Far As Web Security Goes?
SSL is not equal to all the security one needs! What’s more, SSL is about protecting visitors to a website and NOT the website owner herself.
NOTE: there is no security absolute! The security threat landscape always evolves. Security is about risk reduction, not risk elimination because the risk will never be zero. Check out ‘The 4 Areas Of Security Businesses Need To Manage‘ to see more on this.
Security is a continuous process; it is as much about securing and hardening a local environment, the user’s online behavior, and personal internal processes, as it is physically tuning and configuring website connections and installations. Security stems from three things: people, process, and technology. They’ve got to work in synchronous harmony to truly minimize the risks at hand. More soon!!