Evolution of Digital Trust
Updated: May 15, 2018
If you have a website, then chances are you may have purchased a digital (SSL) certificate to provide your website visitors protection of information flowing to and from your site.
What you may not yet be aware of is that the SSL encryption you may be using on the site may soon prevent your customers using it.
Whilst the intention of the changes (to make the world a safer place) is sound, recent (and upcoming) changes by Google could have an impact whether your existing certificates continue to work as expected. (especially if they were Symantec-issued)
If left unmanaged, this could lead to Confusion, Business disruption and frustration or loss of customers.
If this issue affects you, you'll need to replace your certificates. This link contains a timeline of the impending changes.
So what is an SSL certificate and what does it do?
In a nutshell, the certificate serves two main functions. It helps to confirm to a browser that the website they are visiting is who they expect and (assuming it is correctly implemented) it also protects information being exchanged to and from the website.
There is a straightforward explanation of how all this works from Google here.
If you are an IT person or deeply interested in how this works - you can take a look at this (Warning: not for the faint-hearted)
How do I know if my website (or one I am visiting) is using SSL?
Simplistically, a website will usually be in one of three states:
Note that the web address starts with "http://" - and is missing the "s" after "http".
Many modern browsers will also show a warning or information about this type of website.
Note that the web address starts with "https://" and there is a green lock (or similar symbol)
If the website address (e.g. https://www.google.com.au ) matches the certificate that the website provides your web browser, then you will usually get a confidence-inspiring green padlock.
Note that despite the use of HTTPS - the web browser provides a warning
This can occur for a number of reasons, technical errors, the site has been flagged as unsafe, or the site being visited is masquerading as another.
Are there any risks associated with using SSL?
SSL was created to address the risk of eavesdropping, interception of communications and man-in-the-middle attacks, so the technology and principles involved are sound, however there are a few main areas of risk regarding implementation as follows.
Weakness in how SSL has been implemented based on browser, underlying server or client operating system or the network over which the communications occurs.
These can lead to exposure of the information which is supposed to be protected, or enabling a malicious 3rd party to pretend to be a given website.
You can check your own web server with a free SSL Server Test
Just like any other software, web applications suffer from a variety of potential issues, these can render the protection within SSL useless, as an attacker can gain access to the information at either end of the communications (either on the Server or the Client).
Author: Clinton Smith