A question of trust
In the space of a few months, the amount of Internet traffic has grown significantly. The global pandemic has driven the majority of us from our normal work and social environments into our own personal spaces with online meetings, online shopping and online social events filling our days. The increase in our communication across networks, applications and websites should make us all more aware to how our sensitive, personal and financial data is used and more importantly, stored by the organisations we interact with.
Brand holders need to provide not only reassurances that customers are communicating with trusted, legitimate businesses but that their personal information is safe from those who would look to misuse it. This is why any active website, even those that do not collect sensitive, personal and financial data, must deploy SSL encryption.
SSL certificates provide a trusted connection between a consumer and the website they are browsing, by creating a secure, encrypted link over the internet, which means the sensitive and financial information, such as personal details and credit card numbers, are kept private and secure. Every organisation has a duty of care to its customers. Put simply, the data is locked and can only be unlocked by the intended recipient of the data.
In the past few years, there have been a number of important changes to the issuance, usage and treatment of SSL certificates for search purposes. Google, the undisputed search leader, has tightened its rules on how it deals with websites that do not use SSL on their sites. Google’s mantra has always been to deliver the most relevant results for every search conducted – whilst the ranking algorithm is for classified eyes, there is no secret sauce in the fact that the higher the ranking, the more traffic the website will receive. More website traffic, means more visitors, which means more opportunity to make money.
A number of years ago, additional weight was given in search results to websites that used encryption, which as Google said at the time, ”We’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”
It isn’t just search engines which have made changes to favour websites that utilise encryption. Browsers including Safari, Chrome and Firefox have enhanced the way they treat websites using SSL, adding another layer of security and authentication to protect web users.
The three leading browsers have taken yet another step towards protecting Internet users, announcing that they will no longer “trust” websites that have two-year SSL certificates issued after the 31st August 2020. Whilst SSL certificates were originally available for durations of up to 8 years, the terms available have been reduced in the past few years to ensure that any certificates issued are trustworthy and the risk of compromise is reduced as new certificate keys are created more often.
One reason behind this move has been the increasing nefarious nature of the Internet. According to WebARX Security, over 30,000 websites are exploited EVERY DAY. This is a figure, which has risen dramatically year-on-year and includes those that websites which use SSL. By shortening the maximum term of an SSL certificate, vulnerabilities and exploits can be reduced since certificates must be re-issued every 12 months. All of the major Certificates Authorities (CA) including Comodo, Sectigo and GlobalSign have agreed to only issue 1 year term certificates from the 1st September 2020.
For any brand holders with existing multi-year certificates that run past 1st September, these will continue to be valid and treated as trustworthy by the browsers. However, any newly issued certificates or “reissued certificates” will now only be for a one year term in order to be considered trustworthy by the main browsers. For those organisations who are still unsure what value using SSL on their major websites brings then consider these four reasons:
SSLs demonstrates an organisation is serious about customer trust – Using SSL for all customer facing websites demonstrates that an organisation is serious about customer trust and protecting customer data. The easy to identify signs of using SSL encryption for websites allows users to clearly see that the data they are sending is encrypted and thus secured. Once website users know that they are communicating with a legitimate entity, they are more confident in submitting personal and financial data over the internet.
SSLs protects personal, financial and sensitive data – Any websites that accept online payments must be PCI compliant. Having an SSL certificate installed is one of the 12 primary requirements set by the payment card industry (PCI) as a requirement to accept online card payments. SSL ensures that the personal and financial data is encrypted.
SSLs provides authentication and compliance – “in regione caecorum rex est luscus” or for those who don’t have fluency in Latin, “in the land of the blind, the one-eye man is king.” SSL demonstrates an organisation is prepared to be compliant and validate their credentials and sets them above those who can’t or won’t validate their identity.
SSLs improve SEO ranking – In 2014, Google made changes to its algorithm gave a ranking boost to those websites using SSL. Since then, the search engines have increasingly penalised those websites that don’t use SSL, with some displaying warning notices before users can navigate to the website. Therefore, using SSL for customer facing websites gives a natural advantage over those sites that don’t.
The increasing challenge of short-term SSL certificate
Of course, from a security point-of-view, reducing the validity term of an SSL certificate makes perfect sense, and must take overriding priority. However, for companies that have multiple sites and SSL certificates this adds to the problem of managing a portfolio of SSL certificates.
Moving from 2 year to 1 year terms potentially doubles the management effort of registering and re-issuing certificates as well as potentially increasing costs. Every time an SSL certificate is issued, checks are made by the Certificate Issuer on the validity of the person or business that is requesting the certificate. The depth and comprehensiveness of these validations depend upon the certificate type. However, all add to the cost of issuing a certificate and must be carried out by the certificate authority.
As certificate secured websites become ubiquitous, more and more businesses are turning to specialist companies like BrandShelter to consolidate and manage SSL certificates on their behalf. These online IP protection specialists ensure that:
- The right type of certificate is issued for the website type or activity that is being undertaken
- Certificates do not expire and are reissued at the right time
Successfully managing this business critical activity will minimise costs and avoid business interruption, which can cause embarrassment, loss of consumer trust and significant financial loss.