GlobalSign Blog

26 May 2017

SSL Shaming: Customers Fight Bad Practice

Your customers have had enough. They want to visit your website with ease, follow a buying process that gets them what they want quickly and efficiently and do all of this knowing that their data is safe and secure from the prying eyes of hackers. Are you sure you’re giving them all of that?

Be careful, you might be confident you are and then quickly find you are another victim of SSL Shaming!

As browsers update their UIs (user interfaces), buyers everywhere are suddenly coming across browser error and warning messages that suggests their connections are not private or that their data is not safe. These warnings stop them from completing transactions on your website and this makes them sad…and should make you sad as well. You just lost a customer!

Buyers are so sad in fact, that they have to share their frustrations with you on Twitter. The social network for complaining when you don’t get what you want.

I call this practice ‘SSL Shaming’ and it is a growing trend on Twitter.

Make no mistake, whether you are a small or large business, if you haven’t got a HTTPS website or your SSL Certificate is not configured properly, your customers are going to know about it…and you WILL lose business.

Note: Yes, we know SSL protocols are deprecated and TLS is the technically accurate term to use, but most people are more familiar with SSL so we're using it here for simplicity (more on this here).

Shame on You…Still No HTTPS?

So you still haven’t moved your website over to HTTPS? Shame on you!

If your business isn’t making use of HTTPS yet, better late than never. Google just announced at Google IO Conference that they are already planning to release a new UI in Chrome 62 that will mark non HTTPS websites as ‘not secure’.

google io conference https

not secure UI google chrome

Source: https://www.youtube.com/watch?v=GoXgl9r0Kjk&feature=youtu.be

Imagine the anger your customers will feel when they visit your website and are shown a warning message like this. Or better yet, don’t imagine. Read some messages from customers who have already turned to Twitter to shame business about their lack of encryption.

The shaming will only get worse when Google updates Chrome’s UI.

ssl shaming

Like this message, SSL shaming messages are plainly and simply asking companies to secure their website. If you are one of those rare and very naughty companies trying to slide by without SSL, you will be found out too.

Another bad practice example is not using SSL and asking your customers to 'proceed anyway'. This isn’t the first I’ve heard about companies advising their customers to to do this when they come across an SSL Certificate error. Really and truly…shame on you!

ssl shaming

Shame on You…Bad Configuration?

Just installing a SSL Certificate is not enough; you need to make sure your server is properly configured as well. Otherwise, your customers could still be seeing error messages on your website.

This isn’t as horrifying as not having SSL at all, but it still gives the impression that you are not paying enough attention to your website or that your IT team aren’t doing their jobs. While that is probably not true, it certainly looks that way to these guys…

ssl shaming

Intermediate certificates are part of your chain of trust and also need to be properly installed on your servers. Here’s more info for GlobalSign customers.

ssl shaming

SSL/TLS ciphers on your server configuration need to be managed and aligned with best practice. Today all SSL protocols are dead and your server should only accept TLS 1.1, 1.2 and 1.3. You can find out if your server is configured properly using GlobalSign’s SSL Checker tool.

Shame on You…Expired Certificates?

Have you forgotten to renew your certificate? Naughty, naughty. You don’t want customers to think you’re not on the ball do you? You should set-up reminders to all relevant staff members 90, 30, 10, 7, 3 and 1 days before your certificate is set to expire. You can’t have too many reminders!

At GlobalSign, we send reminders to all of our customers as part of our service offering. Assuming you have given us an email that is monitored by a relevant staff member and take action to renew, you shouldn’t EVER get these warnings.

Another option, if you are managing multiple certificates, is to leverage a certificate management platform like GlobalSign’s Managed PKI. This gives you an "at a glance" view of all upcoming expirations and you can renew certificates with a click of a button.

In the same light as bad configuration, an expired certificate just makes you look like your IT team are not doing their jobs or that your company flunks at staying on top of things.

ssl expired

Shame on You…No EV?

Something that many organizations still don’t know, SSL Certificates come in three forms. While all three levels encrypt communications between server and client, they differ in terms of how much identity information is included in the certificate and how they display in browsers.

  • Domain Validated (DV) – administrative control of the domain is the only thing that is verified. Hackers can quite easily get a DV and use it on a phishing website; you have no way of knowing who is behind the website.
  • Organization Validation (OV) – identity of the organization is vetted and included in the certificate, but no extra browser UI is shown.
  • Extended Validation (EV) – strict identity verification is done on the organization and browsers show the organization name in the URL.

If you truly want your customers to trust that you are who you say you are, EV is the best bet since your verified name is presented front and center. If you’re accepting card payment details and personal information with a DV Certificate, your customer cannot be sure that they are really giving you that information and not someone else.

Read this blog on identity in SSL for more information.

Looks like this company learnt this the hard way…

ev ssl certificate shaming

Your Customers Demand Proper SSL

So give it to them! Customers are the most important thing to a business, right? If you really feel this way, then you need to ensure that you’re giving them the best experience when they visit your website. So get your SSL practices in shape, invest where is needed, and move on from your past SSL faux pas. Be proud that you are following safe browsing best practices and providing your customers with confidence when they conduct business with you.

Share this Post

Write for Us

Apply Now

Subscribe to our Blog