As discussed in my last blog, securing our online presence is something that we take for granted and something, we assume, our data keepers are doing for us with the utmost care and attention. Even Barack Obama is conscious of this fact and feels an overhaul of many government systems is in order to ensure US citizens’ data is protected and secure: http://www.wsj.com/articles/protecting-u-s-innovation-from-cyberthreats-1455012003.
Of course, data protecting the many law abiding citizens has its flipside for those few that may not be so upholding of the law. Allowing access to an individual’s locked down or encrypted device to further a federal investigation on the one hand seems like the sensible thing to do but on the other can set a terrible precedent for the future whereby given enough reason and weight of the courts anyone’s encrypted information could be open and available to the state. Tim Cook wrote about it yesterday: http://www.apple.com/customer-letter/ to defend Apple’s position of challenging the US government’s request to unlock a device to allow them access to the data contained therein.
But we digress. To bring things back home and into our own online world a website and the mechanisms on which it operates are, by their nature, open to attack by malicious entities that perch on the precipice between your computer network and the website network you are trying to reach. They can be ‘listening’ into your network traffic as it propogates between you and the server: browsing pages, log on to accounts, searching Google.
Many websites use a form of encryption to make sure that data being sent to and from a user is encrypted so that if anyone was listening in and tried to hijack that data they would not be able to read it. In much the same way that a password is encrypted, the information passed back and forth between a website and a browser is encoded so that it cannot be read without the use of a decryption key. The key being held by the particular website being browsed in partnership with a corresponding private key saved by the browser on your computer.
A webserver must have an SSL certificate installed in order for this encryption to take place. An SSL certificate is essentially a set of files, installed on the server which bind said keys to an organisation and a site domain. Once installed any browser viewing the site will display the padlock icon in the address bar to identify to the user that communication is secured and all data flowing will be done over the https protocol indicating a secured connection.
Having an SSL certificate is though no longer a requirement just for the banks or other financial institutions passing sensitive data back and forth. The use of an https connection is now used as a ranking factor by Google and, if present, will improve a site’s search rankings (along with Google’s many other metrics). In addition to this, new browser versions will begin to actively warn users when they browse sites that do not use an SSL certificate. These warnings will become much more intrusive than they currently are and will point the way for more and more sites to move away from simple HTTP connections which will be seen as untrusted.
With the dramatic increase in mobile usage and users visiting websites whilst they are out and about on open, less secure wireless networks it is vitally important that data communications are encrypted and having an SSL certificate on you website is of paramount importance. Giving users that peace of mind to know that their data is safe whilst they use your site may be the difference between them buying the a copy of Taylor Swift’s new album or another copy of The Da Vinci code.