Let’s play a word association game. What’s the first thing that comes to your mind when you hear “SSL”? I’m willing to bet it was “encryption” (and if it wasn’t, just go with it). This isn’t a bad thing! Encryption and SSL go together like peanut butter and jelly.
However, this idea that SSL is only about encryption is selling it a little short, and may actually lead many site operators to dismiss it entirely. If you’re not collecting data through your site, why would you need encryption, and therefore SSL, right? Well, there are a number of reasons actually. Let’s take a look at some of the biggest.
1. Browsers Are Going to Start Penalizing HTTP Sites
We covered this in more detail in our recent post on Always On SSL, but in a nutshell, starting in January 2017, Google is going to start flagging HTTP pages that collect passwords or credit cards as non-secure. This shouldn’t really come as a surprise to anyone. They’ve been advocating for increased SSL usage since they launched their ‘HTTPS everywhere’ initiative back in 2014.
Perhaps the more interesting part of their most recent announcement was that they plan to take this approach for ALL websites in the future – meaning all HTTP sites will be marked non-secure. They haven’t put a timeline in place for this, but the writing is on the wall. Website owners should get on the encryption train or risk their sites being flagged or blocked in the future.
In case you’re thinking this is only a Google thing, Mozilla announced back in 2015 that they intended to phase out HTTP, but they don’t appear to have made any public progress yet or provided any other updates to their deprecation plan. I wouldn’t be surprised if we see an update soon though.
2. Visitors Are Looking for, and Expecting, the Padlock
Site visitors (i.e. the general public) are also becoming more security aware – 84% said they would abandon a purchase if the connection was unsecure and 98% said they look for security indicators on websites.
It seems after years of education initiatives and scary news stories about internet scams, visitors have become a little savvier about which sites to trust. And if your site doesn’t have clear security indicators, like the padlock and HTTPS, it’s going to be abandoned by visitors.
3. Brand Identity and Phishing Mitigation
Phishing sites, websites designed to impersonate legitimate sites and steal visitors’ identity or financial information, continue to pose one of the greatest threats to online safety. The latest numbers from the Anti-Phishing Working Group indicate that the number of unique phishing websites grew 61% between Q1 and Q2 of this year, with over 400 brands being targeted by the phishers.
The number of unique phishing websites grew 61% between Q1 and Q2 of this year, with over 400 brands being targeted by the phishers.
While the number of phishing sites continues to grow, so does the “quality” of impersonation. Nowadays it can be extremely difficult to identify a phishing site from a legitimate one.
Fortunately, there is an easy way for you to bring your brand’s verified identity front and center on your website – an Extended Validation (EV) SSL Certificate. With an EV Certificate, your organization’s name is clearly presented in the address bar. Site visitors can immediately see that the site is legitimately operated by your company.
We recommend EV for online stores, high profile brands, or any sites that collect information, as these tend to be most targeted by phishing attacks, but it’s ideal for anyone that wants to present their business’s verified identity front and center on their website.
4. Prevent Man-In-The-Middle Content Hijacking
This last tip is related to encryption, but maybe not in the way we typically think when it comes to SSL. We tend to think about site encryption in terms of protecting any data that is submitted through a site, such as login credentials or credit card details, but what about the data that is being presented by the site itself?
Unencrypted traffic can be intercepted to replace normal requests (e.g. software downloads, video views) with malicious files, all unbeknownst to the visitor. This article outlines an example of how this could happen with a YouTube video delivered over HTTP. In this scenario, a hacker was able to able to intercept the video stream and inject some malicious code. When someone streams the video, they also end up downloading a nasty file that gives the hacker complete control over their machine. Obviously, it’s a slightly outdated reference since YouTube now encrypts all targeted traffic, but the point remains – if you don’t encrypt your site, you leave it vulnerable to tampering.
There's More to SSL Than Encryption
Although the frequency is decreasing (thankfully), I still sometimes hear, “oh, I don’t need SSL on my site because I don’t have an online store or a login portal...” from site owners. I hope this post has made it clear that there’s a lot more to SSL than just encrypting data submissions. Browsers are pushing for it, your visitors are expecting it, and it can help differentiate your site from impostors. If you haven’t implemented it yet, what are you waiting for?
...No seriously, if you aren’t using SSL, please let me know why in the comments! I’m curious about what scenarios I could be overlooking.