Step 2 is About Encryption
This time we’ll discuss website security, what it is, why it’s important, and what you need to do about it.
This is a long post, so I’ll summarise it.
The Internet is becoming more security conscious. Some web browsers now issue warnings when you visit a website that isn’t secure. The others will follow. Warnings put visitors off. If you don’t want to lose visitors to your site, you need to encrypt it.
The next post in this series will explain how we are encrypting all BlueTree CMS user sites.
Meanwhile, in this post:
But first, a story.
A Website Encryption Story
We just finished a new website for a client. Stuart was very happy with the design and content, but there was a problem. He checked it on his phone, only to be told that the site was not secure! His SSL certificate doesn’t match his website.
Now, he doesn’t have an SSL certificate, neither does he need one – any more than anyone else, that is.
We traced the problem to his phone’s over-zealous software. Our servers host many websites, some of them encrypted. The phone software wrongly assumed that, because one of the sites has a security certificate, it must apply to his as well.
No website owner wants to see something like this when visitors go to their website. So we installed a correct, temporary certificate for him.
Why Encryption Matters
Clandestine forces are eroding the Internet ideals of free speech and openness. Internet freedom is under threat from wealthy individuals, corporations, hackers, even government agencies, with
- fake news designed to mislead
- trackers that collect personal details
- algorithms that control the news we read
- data collection to support identity theft and secret government snooping
Encryption is one way the good guys are fighting back. They’re persuading us to encrypt our websites. As one encouragement, search engines are starting to reward encrypted websites with better rankings.
Here are two more reasons:
- The GDPR Data Protection Regulation: if you collect any personal information on your website, it should be secured to reduce your risk of compromising it.
- My antivirus software, Webroot, puts a big green tick next to search results it deems safe. So do many others. You’ll notice that the search result below has HTTPS:// in front of our web address. This means the website connects securely with your browser. The “S” stands for “Secure”.
Benefits for You
Here are four reasons to encrypt your website:
- Your visitors won’t be put off by dire warning messages, like Stuart was
- Visitors will see at a glance your
website is safe, because their browsers will display a closed padlock in the address bar; this is Google’s Chrome browser making it obvious - Hackers won’t be able to snoop on your visitors
- Google will rank your website higher, some say as much as 5%
Many internet users are not tech savvy, so may not notice. Don’t expect this to last, however. How long ago was it that nobody understood the cookie message you now see on every website?
Worse, if you’re asking for feedback, or collecting an email address, they’ll certainly notice something like this.
Chances are they’ll move away and you’ll lose their input or a valuable lead.
Secure Websites Are Encrypted
My browser talks to your website using text messages. They’re structured formally, but you can read them using Windows Notepad or Apple TextEdit. Anybody can read them, including hackers.
These messages run over the Internet, AKA The Cloud. On the way, they pass through many servers. Servers are computers and can be hacked, exposing your messages to hijack.
Encryption converts the messages into gibberish using a cypher, possibly the oldest form of secret writing. Julius Caesar used a simple “Shift Cypher” in his correpondence. With a shift cypher, you swap each letter of the alphabet for another. “A” becomes “F”, for example, “B” becomes “G”, “C” becomes “H”, and so on. Each letter is shifted six along in this example. So BLUETREE becomes VFOYMLYY.
It’s fairly easy to crack. “E” is the most commonly-used letter in the English language…
Digital encryption is much more sophisticated, as you can imagine. It’s so secure that the US Government has tried to ban it – for some reason :-).
Digital Certificates
Your website needs a Digital Certificate to make encryption work. Issued by a trusted authority, the certificate must be installed on your web server. The certificate provider verifies your website is owned by your company, and the certificate is proof that all was OK.
Once the certificate is installed, “HTTPS” will appear before your domain name in the address bar of each visitor’s web browser, and all communication will be encrypted. The S after HTTP stands for “Secure”.
When you look at a secure site, your browser will examine the certificate and establish that,
- a trusted party issued it
- it’s current and valid
- it’s related to the site you’re looking at (this is where Stuart’s phone software went wrong in the story above)
When it’s happy, your browser and the server will swap encryption keys, and you’ll be able to see the web page content. The keys are discarded at the end of your session.
There’s a complete explanation here that’s nicely written and easy to understand.
In Conclusion
Encryption matters. All websites will be encrypted eventually. Steal a march on your competitors by encrypting yours now.
The time is right. The world moves on, the Internet world faster than most.
- Our certificate cost over £100 a year ago and you can now get one free
- Anti-virus software and web brosers are starting to identify non-secure sites, which they call “unsafe”
As the software evolves, some make mistakes, as Stuart discovered. Recent developments mean we can avoid this happening to your website.
In a later post, we’ll explain what we’re going to do about it, and how our plans will affect you.
Testing, testing, 123…
This is the first time I used reCAPTCHA in our blog. With luck, all the spam will stop now! Thanks Dave