Why to get started with HTTPS on your website, and why it’s so important for website security.
Have you ever noticed that some URLs start with HTTP and other start with HTTPS? Perhaps you noticed that extra S when you were browsing websites that require giving over sensitive information like when you’re paying your bills online. To put it simply, that extra S stands for secure. This means that your connection to that website is secure and encrypted.
Any data that you enter is safely shared with that website. The technology that powers that little S is one of two technologies, SSL or TLS.
SSL or Secure Sockets Layer is the standard security technology for establishing an encrypted link between a web server and a browser. TLS is a newer technology that also authenticates websites. TLS (Transport Layer Security) is a protocol that provides authentication, privacy and data integrity between computer applications.
We do not want to go into detail about the technical differences between SSL and TLS; but just know that in many ways, TLS has superseded SSL. TLS is newer and arguably more secure, the certificates you use to implement both TLS and SSL protocols are often interchangeable.
So we are going to look at solutions for SSL and TLS together, since they’re often one and the same. Both of these technologies make sure that all data paths between the web server and browser are private. When you fill out a form on an insecure website and hit Submit, the information you just entered could be intercepted by a hacker. This information could be anything from details on a bank transaction to high level information you just entered to register for an offer.
In hacker language, this interception is often referred to as man-in-the-middle attack. The actual attack can happen in a number of ways but one of the most common is this. A hacker places a small, undetected listening program on the server hosting a website. That program waits in the background until a visitor starts typing information on the website.
It will activate to start capturing the user’s information, like an account login and password and then send it back to the hacker. When you visit a website that’s encrypted, your browser will form a connection with the web server, look at the certificate and then bind together your browser and the server. This binding connection is secure. That means that no one besides you and the website you’re submitting the information to can see or access what you type into your browser.
This connection happens instantly and in fact, many suggest that it is now faster than connecting to an insecure website. You simply have to visit a website with a certificate and voila, your connection will automatically be secure. There are a few ways to know if your website has a certificate. You can use HubSpot’s Website Grader, the URL says HTTPS and not HTTP.
You see a little padlock icon in the URL bar, or the certificate is valid. In your web browser, you’ll be able to see if a site is secure because it will say HTTPS and you’ll see a little padlock icon in the URL bar. It’ll show up either on the left or right hand side of the URL depending on your browser. You can click on the padlock icon to read more information about the website and the company that provided the certificate.
Even if a website has HTTPS and a padlock icon, their certificate could still be expired, meaning that your connection wouldn’t be secure. In most cases, a site that displays as HTTPS will be secure but if you encounter a site that asks for a lot of personal information, it may be worth double checking, just to be sure. To find out whether your certificate is still valid in Chrome, go to View, Developer Tools.
From there, you will need to navigate to the Security tab and you can see if this SSL Certificate is valid or expired. If you click the View certificate button, you will be able to see more information about the SSL certificate and the specific date it’s valid through. So how can you get a certificate on your website? The first step is to determine what type of certificate you’ll need.
For example, if you host content in multiple platforms, on separate sub domains or domains, it may mean that you need different certificates. For most, a standard certificate will cover your content but for companies in a regulated industry, such as finance and insurance,it may be worth talking with your IT team because there are specific requirements within those industries that specify the type of SSL certificate that you’ll need.
The cost of certificates varies, but you can get a free certificate or pay a few hundred dollars per month to obtain a custom certificate. Let’s Encrypt offers certificates at no cost but the setup is technical,work with a web expert to get it set up. These certificates expire regularly, so you’ll need to make sure that they stay up to date. Many other domain providers will sell certificates that range generally from around $50 to obtain a certificate for one domain up to a few hundred dollars for multiple domains.
This process will be easier than using Let’s Encrypt but does have a cost associated with the certificate. One of the other key considerations is the validity period of a certification. Most standard certificates that you purchase are available for one to two years by default but if you’re looking for a longer term option, then look into more advanced certificates that offer longer time periods. If you’re using HubSpot, all Files hosted within the HubSpot File Manager are automatically encrypted with SSL.
With the HubSpot CMS Hub, you can direct all visitors to the secure version of your site, no plugins required. If you’re using WordPress, there are many plugins that can help you install your certificate, Really Simple SSL, Insecure Content Finder and WordPress Force SSL can be used to install your certificate, encrypt files and direct traffic to the secure version of your site. Websites currently not on HTTPS will need to migrate their site from HTTP to HTTPS.
Depending on the CMS that you’re using, this may be as easy as clicking a button to download a certificate and redirect your pages. For others, you might have to manually set up your redirects to your new HTTPS URLs. Check out the resources for some helpful guides or work with your web team to set up a migration plan. Beyond SSL, there are other ways that you can keep visitors on your site safe. There are front-end JavaScript libraries with known security issues.
You should avoid these at all cost. A front-end JavaScript library is a piece of pre-written JavaScript which allows for easier development of JavaScript-based applications. But not all libraries are created equally and intruders know this. Intruders have crawlers that scan your site for known security vulnerabilities. When the website crawler detects a vulnerability, it alerts the intruder. From there, the intruder just needs to figure out how to exploit the vulnerability on your site.
So scan your website with HubSpot’s Website Grader to identify if your page issuing any JavaScript libraries with known vulnerabilities. To fix JavaScript library vulnerabilities, you should stop using vulnerable JavaScript libraries immediately, upgrade your libraries to their newest version and continue using if it fixes the vulnerability or use a different library without known vulnerabilities.
You may need to work with a developer to help you find which JavaScript libraries are causing you trouble. Security is practically a requirement online. Today, search engines will call out your web page for not having an SSL certificate. Search engines are taking their users’ cyber security into top consideration. With an SSL certificate and by removing vulnerabilities in your JavaScript, you will keep your visitors’best interest at the fore front of your website.
Thanks for reading the article..!!
Leave a Reply