2014 was a huge year for privacy and security on the Internet.
There were several high profile security issues which were serious enough to make the leap from technical news sites to the mainstream press, and ongoing revelations about how easily everyone’s connections can be spied on have made the major players in the web industry take action.
If you have an e-commerce website, given all the coverage around SSL and website security, now is a good time to check the security of your site, or to consider getting a site certificate if you don’t already have one. This guide explains all.
What is site security?
SSL Certificates verify that a URL does actually belong to the organisation or company you want to visit, and they are used to encrypt any entered data.
SSL stands for “Secure Socket Layer” – the original standard for performing encrypted transactions on the web. It was succeeded by TLS (Transport Layer Security) in 1999, but it’s taken 15 years and several embarrassing and damaging problems for it to be fully replaced.
The term is still widely used in general to refer to site security certificates.
Why is site security important?
These certificates help to inform internet users that a website is trustworthy and secure, which is especially necessary if you will be asking customers to enter any card details and buy from you.
Even for small e-commerce businesses, having an SSL certificate is vital for reassuring customers. Many will look to check if your website turns green and activates the padlock in the browser with the HTTPS protocol.
Recent changes to SSL
In 2014, the older SSL versions effectively died.
An attack known as POODLE targeted sites using SSL 3, and the best defence against it was to disable the protocol. Google, Mozilla and Microsoft have all taken steps to disable the use of SSL 3 in their respective browsers.
Following that attack, and another recent ‘downgrade’ called FREAK, it’s clear older technologies and protocols are the problem.
Instead of waiting for attack after attack to target obsolete but still supported cryptography and protocols, the industry is now looking to proactively remove outdated technology – before it gets exploited.
The large players in the web industry, specifically the browsers Google Chrome and Mozilla Firefox, are planning to gradually force this issue.
What does this mean for small businesses?
For those with an e-commerce website, this means you’ll need to check your site security.
If you’ve got an existing certificate, you might need to make some reconfiguration changes. If you’re considering getting a secure site certificate, you’ll need to choose the right one.
In September 2014, for example, Google announced that they are hurrying the process of sunsetting SHA1, an algorithm that forms part of the chain of trust proving that a certificate belongs to who it says it does.
They’ve issued a new policy on site certificates which is designed to phase them out and encourage websites to upgrade their security:
- Sites which have an SHA1 certificate expiring after January 2016 will be marked as “secure with errors”.
- Those which expire after January 2017 will be marked as “affirmatively insecure”
These will be negative signs to website users, showing your site as being insecure and deterring them from visiting and buying from you.
The good news
It’s not all stick – there’s some carrot, too. In August 2014, Google’s Search division announced that it would consider secure pages to be a positive signal when ranking sites in SERPs (search engine results pages).
In an industry like e-commerce, where more visibility in Google directly translates to more sales, the incentive is clear: if you can do the work to secure your site, not only will you be protecting your customers, you’ll be rewarded with (slightly) improved rankings.
Getting the right certificate type
We know then that you’re going to want to have your certificate issued by a Certificate Authority which uses SHA2 – thankfully that’s most of them, though some providers (like WoSign) prioritise supporting older browsers ahead of web security, so it is worth checking.
But, there are two different types of certificate to consider:
- Basic security certificates
- Extended Validation certificates (EV)
Basic security certificates
EFF, Mozilla, Automattic (the WordPress guys) and Cisco are launching their “Let’s Encrypt” initiative this summer. If it goes according to plan, every website owner will be able to obtain a secure certificate for free, and with the absolute minimum of effort.
These new certificates are similar to the current RapidSSL ones, which cost $9 per year. They come with a trusted safety seal and a background check to ensure the domain name matches the registered owner.
Extended Validation (EV) certificates
Extended Validation, or EV certificates have to go through more rigorous, human checks before they are issued – they require you to provide corporate documents, be listed in a notable phone directory (the Yellow Pages, Scoot, Thompson Local) and be reachable on your public phone number to verify the certificate is being requested by someone authorised to receive it.
From VeriSign, an Extended Validation certificate currents costs $995.
In return, you can light the address bar of your customer’s browser green and give your company’s legal name equal weight to its domain name. If nothing else, the fact that you have gone through the more expensive process is an indicator of a “serious” web business.
Other things to consider when going HTTPS
If you are considering moving your e-commerce site to HTTPS, there are a few other things you need to check.
If you have a developer doing this for you, you’re probably covered, but if you’re doing it yourself be sure to keep in mind these crucial issues;
A HTTPS is a new site, so you’ll need to:
- Ensure correct 301 redirects are in place
- Claim the URL again in Google Webmaster Tools
- Consider Facebook Likes re-configuration
- Update the rel=canonical links on your site to prefer the HTTPS versions
- Secure third party scripts and web applications
HTTPS sites load slower than HTTP sites so:
- If you have slow website, deal with this first!
- You can see how Google views the speed of your site in Webmaster Tools, just go to the ‘Crawl’ menu and then select ‘Crawl Stats’ to see statistics about crawl time and page response time.
Test your SSL
After taking the steps to buy a trustworthy certificate (or use a free one, it’s substantially better than nothing!) and having your web hosting company install it, you should check that everything is configured securely and correctly by using the tests available at Qualys SSL Labs.
There’s no good reason to not score at least a B on this test. An A is very achievable if you are willing to break compatibility with some (very) old versions of web browsers.
Your hosting team will be able to arrange this for you. If you’re hosting your own site, you can refer to the Mozilla SSL configuration guidelines, which represent the state of the industry best practice.
Whilst it might sound complicated, ensuring your website is secure can make a huge difference for your e-commerce business, and it’s well worth considering.
About the author
This article has been written by ByteStart’s regular web and technology contributor, Nick Pinson. He is a Director at iWeb Solutions, an e-commerce website design agency based in Staffordshire.
More on ByteStart
Other ByteStart guides written by Nick Pinson include;