SSL vs. Website Security

Having a website today is way easier than it was 10 or 15 years ago. Tools like content management systems (CMS), website builders, static site generators and alike remove a lot of the friction around building and maintaining sites. But, is there a price for such convenience?

I would dare to say that one of the downsides to bringing such facilities to the masses is the creation of misconceptions. The biggest misconception is about what makes a website secure versus not secure. For example, with the introduction of Google Chrome version 68, websites that do not use SSL certificates are marked “Not Secure” in the address bar.

However, a website with an SSL certificate is not necessarily a “secure” website. SSL encrypts the data sent between the visitor and web server but does not actually protect the website itself from hackers. There is more to it website owners need to understand if they want a truly secure website.

SSL Certificates

SSL is the acronym for Secure Sockets Layer. It is the standard security technology for establishing an encrypted link between a web server and a browser. SSL certificates have become a best practice in website security for good reason.

We have recently written an article to showcase why websites should switch to SSL. In short, Google, Mozilla, and other web authorities are pushing for website owners to adopt HTTPS. One of the ways Google can enforce SSL is by flagging sites displaying a warning that the site is “Not secure“ on Chrome, starting with Chrome 68.

Chrome 68 not secure warning for HTTP websites
Chrome 68 not secure warning for HTTP websites

SSL certificates help protect the integrity of the data in transit between the host (web server or firewall) and the client (web browser). They make sure no one is able to see or modify the data, what is known as a man-in-the-middle attack.

All types of SSL certificates verify the domain name of the website.

Let’s see the types of SSL certificates:

Domain Validated SSL Certificate (DV SSL)

DV SSL Certificates are the most popular SSL certificates on the Internet, even though they only validate the domain name.

DV SSL Certificate
DV SSL Certificate

Let’s Encrypt offers these kinds of certificates for free. We also have a guide explaining how to install an SSL certificate.

Organization Validation SSL Certificate (OV SSL)

OV SSL Certificates require more documentation for a Certificate Authority to certify the organization making the request is registered and legitimate.

These certificates will display the name of the organization if you click on the padlock that appears on the top left corner of a browser.

OV SSL Certificate
OV SSL Certificate

Premium Extended Validation SSL Certificates (EV SSL)

EV SSL Certificates require even more documentation for a Certificate Authority to validate the organization making the request. These certificates will be more visible because besides displaying the padlock in the address bar, they will also display the name of the organization.

EV SSL Certificate
EV SSL Certificate

The only feasible difference among these three certificates is their verification process. The technical security is the same for all. While the DV certificates only test ownership of the domain (by technical mediums), the OV and EV certificates will require actual paperwork in order to be issued.

SSL Certificates and Malware Infections

SSL certificates cannot protect a website from a malware infection, nor can they stop a website from spreading malware.

Ironically, infected websites served over HTTPS will ensure the integrity of the malware until it reaches its potential victims, aka the website’s visitors.

A website’s padlock in the address bar does not mean the website is secured. It only means that the information between the website’s server and the browser is secured.

That is something both webmasters and Internet users need to be really mindful of.

It is important to make sure to force HTTPS after you install an SSL certificate on your website. If attackers compromise your site and link to malware assets over HTTP, browsers will display mixed content warnings.

What is Website Security?

Defining website security is not simple, but here’s a good definition we like to use:

There are no turnkey solutions to security; instead it’s a combination of people, processes, and technology that help create a manageable and scalable approach to security for any organization.

Defining website security is hard because it depends on the necessities of each organization. For example, a personal blog does not have the same concerns as an e-commerce store or the site of a web development agency.

Believing that a website is secure because it has implemented an SSL certificate can become a real problem.  A website with SSL is not secure if it does not have other layers of protection, such as a Website Application Firewall (WAF), or access controls. An HTTPS website could still be hacked and dangerous to visitors.

No matter if it is HTTP or HTTPS, if a website is infected with malware, some internet security companies can put warnings on it and in search results, letting everyone know that the site contains malicious code.

These are the top 10 blacklists:

  • Google Safe Browsing
  • Norton Safe Web
  • Phish Tank
  • Opera
  • SiteAdvisor McAfee
  • Sucuri Malware Labs
  • SpamHaus DBL
  • Bitdefender
  • Yandex (via Sophos)
  • ESET

What is the Difference between SSL and Website Security?

Website security is more comprehensive than HTTPS/SSL alone and should be treated as such. HTTPS/SSL is one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensuring your visitors are safe if you do not take other actions to ensure a secure environment.

We can imagine that the reason why some people get SSL confused with website security is because HTTPS/SSL provides:

  • “non-repudiation” of the party  – answering the question is that really you?
  • integrity check (unchanged)
  • privacy (unseen) of the data in transit.

To sum it up, in an HTTPS website, data in transit is protected, but the website itself can still be vulnerable.

Here at Sucuri, we see website security as a conjunction of protection, detection, response, and backups. SSL certificates are only a part of the puzzle. Data encryption is vital to having a good security posture, but it is not everything.

We have discussed more about how SSL differs from website security in a recent webinar:

Conclusion

Security is not a constant. You need to invest time and resources to create a plan that fits your needs. HTTPS is great for the Internet as a whole because it helps keep communication secret between users and the websites they visit. SSL is what secures that data in transit only,  not the website.

SSL certificates only account for a small piece of the website security puzzle.

We encourage website owners to think about website security holistically and consider leveraging a Website Security Platform that offers a complete suite of security controls: protection, detection, monitoring, and incident response.



*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Gerson Ruiz. Read the original post at: https://blog.sucuri.net/2018/09/ssl-vs-website-security.html