7.30.15

Why is the web going SSL?

BY JEFF ROBERTSON

The little lock icon in your browser -- you may be seeing it more frequently. It's called many things: SSL, TLS, HTTPS, or simply a secure site, and it means all the communication between your computer and the server is encrypted.

Recently, there has been a general push to make all websites require encryption.

Why SSL?
By default, anything you send over the web is just plain old text. If I, being the evil hacker I am not, find a way to insert myself between what you're looking at and the server that's providing the content, I can read whatever is going back and forth.

In practice, reading your communication with the web can range from challenging to ridiculously easy. On the ridiculously easy side, consider your neighborhood coffee shop. If that coffee shop lets you connect without a password, everything you send to their wireless router is just floating out there in the air. If you're browsing a site without SSL, a hacker can literally read every word. Strike that... not even a hacker... anybody with a bit of curiosity and the ability to install a program off the internet. So... some adults and all children.

On the challenging side, read about man-in-the-middle attacks for hackers who want to see more than the fact you read the news while having a cup of coffee.

Why not SSL?
I can't think of a good reason. I can, however, think of some formerly good reasons that no longer apply:

In the olden days of the web, we limited SSL to critical pages like website logins, credit card payment pages, etc. because encrypting content used up more server resources than delivering the page without encryption. Using SSL for every page would be silly because you'd slow the performance of your site. Now, computing power has advanced enough that processing isn't an issue.

Secondly, back in the day, using SSL on a website meant the site had to have its own, unique IP address. IP addresses were not always cheap, and configuring a web server to handle yet another IP just so you could put SSL on the site was a hassle. While web browsers addressed this one-IP-per-SSL-certificate rule back in the mid-2000s, Windows XP didn't have the necessary modules to make it work. Therefore, as long as Windows XP was any significant part of your target market, you had to get a dedicated IP for your website.

Only within the past year, since the end-of-life for Windows XP, has the new-but-actually-quite-old SSL technology (called SNI) become a completely viable solution.

Does SSL encryption keep my info completely safe?
Nope.

This is one really important note about SSL. SSL is often mistaken for security -- the little lock in the browser makes the site safe. In years past, that was actually a reasonable assumption even though the logic was flawed. The lock (SSL) doesn't, by itself, make the site safe, but because SSL was slightly challenging/expensive to implement, websites that bothered to have SSL were much more likely to be legit, and they were more likely to have implemented other security measures as well (since you almost certainly wouldn't trouble yourself with advanced security if you weren't even going to add SSL).

Now that SSL is cheap and easy to implement, it is no longer a sign of legitimacy.

Remember: SSL only encrypts information while in transit. Once that info is on your computer or the server, it may be decrypted so it can be used. In other words, your company could still install software on your company-issued laptop to watch what you do, and a hacker could still break into a server to see what's on there.

But encryption does protect you from a whole mess of problems like kids in coffee shops.

Jeff Robertson
written by JEFF ROBERTSON

Jeff Robertson is a digital marketer and an online development expert with experience stretching back to dial-up. He is partner and Chief Technology Officer at Carbon8, where he helps bridge the gap between the technical and marketing worlds, as well as oversees technical infrastructure.

share this
iamges