Last week, “la crème de la crème” of the hosting industry met again at WorldHostingDays 2015 in Rust, Germany.
Paul van Brouwershaven, Technology Solutions Director at GlobalSign led an interactive session around the current and upcoming changes in the SSL industry, carrying out a live poll which provided significant insights into the issues affecting hosters when it comes to SSL security*.
*Note: for the sake of accuracy, SSL was referred to as TLS (the accurate name for the protocol used nowadays) throughout the session.
The Importance of TLS in Hosting
This year again, security was a key topic throughout the show, considerably highlighted by a record attendance to Edward Snowden’s live interview with Sarah Harrison. With hosters having a key role to play in security deployment, TLS still seems to remain the number 1 priority for the majority of them (55%). When asked about the priority level of TLS in their security plan, not a single respondent chose the answer “TLS is the least important item”.
Top Challenge: Customer Awareness
TLS is more than just a padlock. As an increasing number of websites are adopting TLS security by default, it is becoming critical for organisations to differentiate themselves by also displaying their vetted identity. Extended Validation SSL Certificates allow them to do just that, creating a new opportunity for hosters.
When it comes to deploying certificates with identity assurance however, hosting companies named the lack of customer awareness as their biggest challenge (64%), as well as price, and time to issue a certificate (36%).
We predict that hosters are going to face an increasing demand for these types of certificates in the near future, and should get ready by partnering with a CA that can ensure smooth vetting processes and provide sales and marketing support to aid customer education.
Attitude Towards Best Practices
TLS is associated with an ever increasing number of best practice considerations. TLS is only as strong as its weakest link and it is important for administrators to consider key lengths, algorithms used, but also to regularly review their TLS configurations.
Although 70% of respondents did not consider the complexity of best practices to be an obstacle to TLS deployment, Paul van Brouwershaven highlighted the need to schedule configuration reviews on a monthly basis, at least, to ensure high security. Look to your CA and crypto libraries like OpenSSL for advice on the latest best practices, patches and recommendations. There are also a number of useful tools out there, such as the SSL configuration checker.
Encryption By Default?
As browsers make plans to warn users of websites that do not provide TLS security, there is a lot of talk around providing encryption by default, which is certain to have the biggest impact on hosting companies and their infrastructure.
Although the majority of respondents (93%) would like to move towards deploying TLS by default, there were a few conditions:
The pricing issue generated an interesting debate: Can anything really come for free? On the Internet, most “free” services are paid by an impact to privacy and/or advertisements. When it comes to TLS security, even automated domain control validation can require manual phishing checks to ensure maximum security. It is important for CAs and hosting companies to work together with business models that respond to their challenges.
So is the hosting industry ready? It is pretty clear that TLS security remains a priority and hosters are aligning with industry changes by considering TLS by default, certificates with identity assurance, and striving to keep on top of best practices.
There was so much to discuss, we ran out of time and couldn’t answer all the questions that were submitted during the session. Don’t worry, we will cover the most popular ones in our next post, so stay tuned, and get in touch with our expert channel team for more information on any of these topics!