What is an SSL?
What is an SSL?
Our clients are typically non-technical businesses — they are lawyers, bankers, restaurants, entertainers, doctors and the like. As web developers, we typically face a series of questions about security from our clients. “What is an SSL?” “What does a ‘secure site’ mean?” and so forth, which we try to explain in “plain English” terms. Recently we’ve become aware of a new industry offering, the Free SSL Project, that has brought renewed attention to this corner of Internet technology. In this article we will give a high-level overview of SSL technology for the non-technical, “in plain English.”
Is my site secure?
This is a simple question, with a potentially complex answer. “Security” has many facets to it, and “is my site secure?” is really a pretty vague question. It’s sort of like pointing to a new model car and asking “Is this a good car?” It all depends. By what metric?
Security can imply how easy or difficult the software is to hack, or it can refer to the security of the physical servers, and more. For the purpose of this article we’re focusing on the security of the data that flows between your own computer’s web browser and the web site’s server that you’re visiting. The site itself may be very secure (i.e. not easily hackable) but what about YOUR data and information that flows over the open Internet between your computer and the server?
When you purchase a product, is your credit card information traveling out in the open between your computer and, say, amazon.com in Seattle, when you enter it, where any semi-competent hacker can steal the information? Or is the conversation secure and kept away from prying eyes?
The Definition of SSL
“SSL” stands for “Secure Sockets Layer” — it’s a protocol (a set of rules and specifications) that allow two computers to communicate with each other securely over an otherwise non-secure network connection. Essentially, it provides a means for encrypting information on one end of the conversation in such a way that it can only be un-encryped by the intended recipient, so the “conversation” is utter gibberish to anyone “listening in” in between.
To create this type of “secure website” the website developer needs to jump through some technical hoops to create an “SSL Certificate” and install it on their web server. To the end user, you notice this when your address bar shows a locked padlock icon and the site URL switches to https:// instead of the typical http:// (notice the “s” in there, which stands for “secure”). When you see the padlock icon, it means you are communicating with that website over an encrypted conversation, thanks to the SSL that was installed on that web server.
To restate this -- the complexity of creating and installing and SSL rests with your web developer, so you can breathe a sigh of relief. But it's still important to understand what they are and why they're necessary.
Benefits of an SSL Certificate
A proper SSL Certificate actually does a little more than merely encrypt the conversation — it also provides identity information. The very process of creating an SSL Certificate includes steps that verify the creator/owner of the SSL, so that when you talk to that website you can click the padlock icon and drill down to get more information about that site. Is this REALLY amazon.com that I’m talking to?
So a traditional SSL certificate can provide transparency to whom you’re dealing with, along with encryption to keep your conversation/information private.
The Downside of SSL
SSL Certificates aren’t all peaches and cream. They are traditionally managed by a 3rd party service that provides the objective background checks, etc. “Back in the day” these certificate issuing authorities charged upwards of $500 for an SSL, and they had to be renewed every year! Thus, many small business owners tended to avoid this expense. Not only did you have to pay for the certificate, but you had to pay your tech team to take the time and effort to create, download, and install them. The total bill could run anywhere from $500 - $1,000 every year. Over the years the cost has dropped to an industry average of around $200 but it’s still a time and expense. And often we see otherwise well-intentioned site owners that have created an SSL initially, but then forget about them and let them lapse. Because of this, an inordinately large number of small businesses are incredibly remiss in creating and maintaining their SSLs.
Additionally, there’s a penalty to be paid in terms of increased processing load on the web server. For a single small site it’s not a big deal, but for sites with respectable amounts of traffic, it takes more server resources to encrypt and decrypt all of that traffic, which leads to increased infrastructure costs.
Combining all of this together, it’s easy to see why so many small to mid-sized businesses aren’t “on their game.” For small sites it’s considered expensive, it’s a hassle, and it’s very technical and typically a frustrating process.
For web developers, renewing and installing SSL certificates is on our list of "things we enjoy" just below root canals and changing diapers.
So is an un-secure site bad?
Many websites are NOT secure, and it’s not a problem. If they’re not asking you for any sensitive or otherwise private information, it might not be an issue. If you’re anonymously reading a news website, for instance, there’s no reason to incur the overhead of encrypting the data — an insecure site is fine. This is why you might notice certain sites flipping between secure and non-secure modes — they may operate “un-secured” for most of the site content, and then just flip to secured pages for those few activities that require encryption, such as a signup form or the final payment steps of a checkout process. This is typical behavior and not an issue.
However, more recently Google is starting to penalize sites that don't use SSL and reward sites that do use SSL by ranking them relatively higher or lower than their competition. Add this as yet another checkmark in the pro-SSL column.
The Let’s Encrypt Project
A very large group of tech companies such as Mozilla (Firefox), Facebook, Google, Hewlett-Packard, Cisco and more, have banded together to create a consortium of sorts to push the concept of a free, open-source SSL Certificate.
The goal is to lower the cost (to zero), and increase ease of use, make renewals automatic and painless, and democratize the process, thereby increasing adoption rate of SSL Certificates across the web. The theory is to remove the “friction” from the process, leading to a more secure Internet in the process.
It’s important to understand that this new service only addresses one of the two benefits of a traditional SSL — it encrypts traffic between the two end-points of the conversation. But it does not provide identity information. It’s not a perfect solution, but in fact we find that most people are less concerned about identity than merely encrypting/securing the conversation. But it can be exploited for evil, since nobody verifies identity. If you’re amazon.com you will install a traditional certificate without hesitation. But for the millions of smaller businesses around the globe, a free and easy solution for SSL Certificates will increase adoption of SSL, which is good for everyone.
The caveat: this is brand new technology and not fully supported yet on all web servers — this is only viable for a subset of available web servers, and it’s a pretty hands-on, hacker-ish process to get it setup and working. We expect, over time, support will flourish and it will be plug-and-play simple, but we’re not quite there yet. (In fact, both of the very common server types we deploy at 401 Consulting are not yet supported). Support in the browser client is much stronger but uneven as well. This is still in the “early adopter” / geek implementation phase at the moment.
Some folks might say “Oh, I just use a self-signed certificate” as if that’s a reasonable solution. It is not. A self-signed certificate, as the name implies, is one that you create yourself - it only provides encryption from end-to-end, but specifically does not prove identity. And because it’s not created through an independent Certificate Authority, those fields in the SSL Certificate are blank which causes browsers to throw up warnings: “BEWARE! THIS SITE IS SUSPICIOUS!”.
Self-signed certificates are meant for use by developers to play around in an SSL mode in testing or during development, but are not intended for deployment on live sites. Your visitors will get pop-ups and warnings, driving them away.
We hoped this article helped explain a bit about “what is an SSL?” and some of the alternatives and related issues and technologies. As of this writing (June, 2016) we recommend installing a typical SSL Certificate for anyone transacting over the Internet with sensitive information. Currently that is about a $100 - $200/year cost plus installation time, on an annual basis.
We’re optimistic about the “Let’s Encrypt” project, and hopeful that over the coming months and years, the SSL creation and installation process continues to become cheaper (towards $0) and easier (more automated).
The future is bright (and more secure) but we’re not quite there yet.