It’s our firm belief that every website should implement encryption. Website encryption has become a hot topic lately, with most people identifying website encryption as the green lock at the top of the browser. Website encryption focuses on the information that passes back and forth between the website visitor and server. A visitor makes a request for a webpage, the server processes it and sends back a response. Most of this information isn’t interesting to hackers, but using encryption makes it more difficult for them to use any of this information for investigation.
Sometimes security is about being a less interesting target then someone else. Try to envision it as the joke about two men walking through the woods. Two men are walking through the woods when a bear appears running toward them.The first man starts running and then looks back to find the second man changing into his running shoes. The first man asks why the second man why is he changing his shoes instead of running? To which he responds, “I don’t have to outrun the bear I just have to outrun you.”
This is how hackers view websites without proper encryption. If you have a Content Management System (CMS) of any type (WordPress, Drupal, Joomla, etc) than encryption is critical. Every CMS has a login page which gives access to modifying website content such as pages, blogs, events, etc. If the login page is not encrypted, then the username and password is passed across the Internet in full view of anyone watching. I’m sure you can see how easily an attacker can compromise a website this way.
Website encryption isn’t just about security though; it affects your website’s search engine ranking too. Google is so committed to this that they provide a page ranking boost for websites that implement encryption. Since August of 2014, they have encouraged everyone to encrypt their entire websites to increase further security. I think they see this as a “herd immunity” solution. If all website are encrypted, then there are less opportunities for hackers. As the opportunities become increasingly limited then the attacks will decrease.
Google isn’t the only industry leader that is promoting “forced HTTPS”. Many other internet and security companies are making the move and encouraging others as well. Even the White House has recognized the need. This will be a requirement, not a suggestion, for all websites in the near future.
So now that you see the need to encrypt your website, what’s next? There are three things that you need to get the full security and ranking benefits:
Redirect traffic to HTTPS
Remove mixed content errors
There are many companies that talk about security and brandish SSL certificates like they are all that is needed for encryption. This is not true. If the website and/or server doesn’t redirect users to HTTPS, then the SSL certificate is useless. Don’t throw your money away on an SSL certificate unless you are willing to take the next step.
I believe that forced HTTPS and mixed content aren’t talked about because many companies don’t have a proper solution. They like the idea of protection with encryption, but don’t have the ability to take it all the way. To be fair, it isn’t an easy task. WordPress is particularly difficult to deal with when implementing forced HTTPS and mixed content because of how it handles images and other assets. If you are interested in doing it yourself, there are some good plugins for implementing forced HTTPS. We developed a webClinic Pro plugin that simplifies the process and takes care of the heavy lifting for our clients.
If you are interested in checking into your own website, here are some simple steps to ensure encryption is correctly implemented:
Enter your website name in a browser and look at the URL. If it starts with https:// then you are using the secure protocol; http:// protocol is for non-encrypted traffic.
Open Chrome and navigate to your website. If you see the green lock in the location bar, than the website encryption is implemented correctly. Even if you go to a non-encrypted page, your website should redirect all traffic to the encrypted page.
Do an online scan with Qualys SSL (https://www.ssllabs.com/ssltest/). This is a comprehensive scan that will detect the SSL certificate and verify that it is installed correctly. It will also check for common vulnerabilities such as POODLE, Heartbleed, and Beast.
If you have done all of these things and still don’t see the green lock, you may have Mixed Content errors.