Secure Sockets Layer is a protocol that dates back almost as far as the domain name industry itself. Developed in 1994 by Netscape, one of the biggest web browsers in the early days of the Internet to provide authenticated, encrypted data connections between a host and its users.
At its inception, most of the data being transmitted across relatively insecure networks was sent in plain text, which proved a major security and privacy issue for personal and financial data. Data being passed in this manner could easily be intercepted which fuelled the public myth of the Internet being the new Wild West. Organisations wanted to ensure security and privacy to online clients. Today, SSL or the adapted protocol of TLS (Transmission Layer Security) is now essential for all active websites or domain names that support internal infrastructures such as email or virtual private networks.
SSL certificates use a valid domain name that is attached to a cryptographic key, which together forms a unique token that is validated by a Certificate Authority (CA) using a digital signature. Whilst a domain name can exist and be used without an SSL certificate, the reverse cannot be true – an SSL must be associated or bound to a valid domain name. The presence of a domain name using SSL encryption, signified by a padlock or a green browser bar, is a symbol of trust and user confidence.
Domain name encryption was always viewed as a panacea to many ills and bad actors found on the Internet. For many years that appeared to be true but in recent times there have been several concerns about the effective use of SSL which has led to the emergence of TLS, the most recent encryption protocol, as one of the most effective weapons in the defence against cyber-attacks. TLS authenticates web servers which means consumers can spot if they have been redirected to spoof or copycat websites intent on stealing data. That is if consumers know the tell-tale signs.
Fortunately, this is where search engines play their part too. As far back as 2014 Google changed its search ranking algorithms to provide websites that were using encryption or, HTTPS as some know it, a small advantage. Back in 2017, the search engine’s message became a little less subtle, stating that unless websites were using encryption they faced having “not secure” warnings shown to web users navigating to their web pages. Today, the Internet is a safer space thanks to the 156 million SSL certificates issued to website owners, with Google reporting in May 2021 that 89% of the browsing traffic in Chrome is using encryption.
That’s a big number, but according to research carried out by WatchGuard, at least 20% of the Alexa Top 100,000 websites still don’t use any encryption, and even more not using an up-to-date encryption protocol. In a world where cybercrime is rising dramatically, it is essential that encryption such as SSL/TLS is used on all actively used and promoted websites.
Some organisations may say that encryption isn’t required if their core web presence is informational or brochureware, but everyone has a part to play in making the Internet a safer place. The average cost of an SSL/TLS certificate is negligible, and it seems counterproductive if an organisation is investing in a domain name, a website, and any type of marketing communication that they wouldn’t look to secure their digital presence.
One of the major changes in encryption has been the growth in free certificates and the reduction in their validity. Up until a few years ago, organisations could buy certificates that lasted up to three years, which meant they only needed to authenticate their credentials once in that period. Today, certificates need to be reissued after a maximum of one year, thanks to the pressure placed on the Certificate Authorities by the major search engines. In addition, organisations such as Let’s Encrypt and Cloudflare have disrupted the certificate market by offering free encryption, with some restrictions and conditions. Let’s Encrypt now issue more certificates than any other CA as they issue them for months, rather than a year at a time, meaning the domain name holder needs to verify and authenticate their certificates on a very regular basis.
The leading browser organisations, including Google and Mozilla, wanted to shorten the maximum term of an SSL/TLS certification to one year to reduce the number of exploited websites that are allowed to persist. Over 30,000 sites are exploited per day according to Web Arx Security, so by shortening the period between verification and authentication it is hoped the number of exploits will fall accordingly.
SSL and TLS certificates need to be managed as carefully as other assets such as domain names and trademarks. A certificate that is allowed to lapse can lead to major issues for an organisation, disrupting critical operations and impacting consumer confidence. In our next blog post, we will examine the practice of good SSL management and what organisations should be considering as part of a wider domain security policy.
To learn more about our SSL certificate offering, please contact us.