General Misunderstanding about SSL Certificate and Website Security

There is a general misunderstanding regarding SSL certificates and website security. Some people believe by just installing a SSL certificate on their website, that they are done and their website is secure against hackers.

This is WRONG.

SSL only guarantees that data communication between your website and the visitors browser is connected through https, is encrypted and secure. SSL is not a means of the security for your website. It only encrypts communication data and you still need to use a security service to protect your website. SSL does not fix security vulnerabilities of your website, nor will it prevent hackers from hacking into your website admin area if you are using a simple password.

WHAT DOES SSL DO?

Let me explain in the simplest way. When you go to an online store or a social network or a community website, what is the first thing you must notice when you want to login? A GREEN lock at the left side of the URL like this:

SSL Green Lock

What does that mean?

  1. Your connection is secure.
  2. If a hacker tries to monitor the data communication between your website a the visitor, they will only get some encrypted codes
  3. Your username and password is sent to the website through a secure connection and cannot be stolen

 What is Orange Lock on some URL and what does it mean?

SSL Certificate and Website Security

If you see this lock on a URL, especially on a checkout or login page, before proceeding, consult an expert. On some websites, it is only the URL of images that are not using https and the login or submit form are using https. In this case, it is OK to enter requested information. However, if the submit form is not using https connection, our recommendation is do not enter your credential or credit card information.

IS INSTALLING A SSL CERTIFICATE ENOUGH FOR WEBSITE SECURITY?

 NO!

Just installing a SSL certificate does not secure the data connection between your website and your visitor. Your website code and the forms must use SSL connection. It means even if you install an SSL certificate but the URLs of your website use http, there is no difference if you install or not install a SSL certificate. All pages that collect information such as login page, checkout page, Profile page, etc. MUST connect through https and the GREEN LOCK must be seen in the address bar of your browser. If not, ask your developer to fix the issue on the server and not just the website.

HOW TO TELL IF WE ARE USING A SECURE CONNECTION OR NOT?

Every service provided by your hosting company are using specific protocols. These are general the protocols that are typically used every day:

HTTP/HTTPS: These are the protocols that we use for surfing websites. HTTP is the standard non-secure connection and HTTPS (S stands for SECURE) is for secure connection like when we want to login to our account in a social network. Usually, when you are browsing a website through a secure connection, you must see a green Lock icon at the left side of the URL in the address bar. If you try to use a secure connection, but some content are transferred via non-secure connection, your browser will show an alert. Be careful when you go to such pages.

POP3/POP3S: One of these protocols are used when we want to receive our emails via an email program like Outlook (again S in POP3S stands for SECURE connection). If your server supports POP3S, it is recommended to use secure connection.

IMAP/IMAP3: One of these protocols are used when we want to send an email via an email program like Outlook (again S in IMAPS stands for SECURE connection). If your server supports IMAPS, it is recommended to use secure connection.

FTP/FTPS: One of these protocols are used when we want to upload/download file(s) to/from a server (again S in FTPS stands for SECURE connection). If your server supports FTPS, it is recommended to use secure connection.

NOTE: All these protocols use standard port numbers. Some hosting companies, change the defaults. In that case, you must get correct port number from the support. However, in most cases, you can find these info in your cPanel too. Check your cPanel first. For emails, you must go to Email section and then, click on Email Accounts->Setup Mail Client

CONCLUSION

In this post I tried to clear up the misunderstanding about the role of SSL Certificate and Website Security.

As a website owner, you must provide a secure connection for your visitors to interact with your website, provide your their feedback, buy from you, …. but this does not mean that your website is fully secure from the hackers. An SSL Certificate will address the security vulnerabilities of your codes.

As a visitor or member of a website, before submitting any information, login credential, credit cart information, or ANY information that should NOT be shared or made public, make sure the connection of that page is secure by seeing the Green Lock icon at the left side of the URL of that page like the green lock that you see in the URL of this blog post on Azgad Security.