As the internet evolves, SSL is no longer just suggested—it’s required.
The internet is evolving, and as it continues to advance so too does the sophistication and prevalence of the hacking and cybercrime that has always been synonymous with it.
Fortunately, the browser community is pushing back—it’s pushing for a baseline level of security across the entire internet. That baseline level of security is SSL encryption.
A Browser Initiative
You may be asking yourself why the browsers get to make decisions that affect the entire internet. After all, browsers serve just one primary function—to let users navigate the worldwide web.
Well, as it turns out, that’s actually a pretty crucial function. Without the browsers, those fancy websites – along with the numerous profitable industries behind them, like hosting, domain registrars, etc. – wouldn’t really amount to a whole lot. You see, browsers are situated in a unique place within the internet ecosystem—one that allows them to effectively dictate their own terms to the rest of the web.
Fortunately for the average internet user, the browsers are aware of this too. And, on a regular basis, they push for changes that help to improve the overall user experience of the web. In this case, the browsers are pushing for a more secure web via universal encryption. The thought being that if every website is required to have encryption, personal information will be more secure and people will generally be safer using the internet.
It’s a noble cause and one that’s being moved forward in a number of different ways…
- SEO Boosts – Google, which is behind the popular browser Chrome, actively gives sites that employ encryption a search ranking boost. Google webmasters update; As of today, 82% of pages loaded in Chrome on Android are served over the secure
- Withholding Premium Features – The newest, most useful new features in the latest releases of each browser are only enabled on encrypted sites.
- Marking Unencrypted Sites as “Not Secure” – This has already begun, but will continue to become more overt as time progresses. If a website doesn’t have SSL, it’s going to become more and more obvious to users that it’s not secure. Soon unencrypted sites may even be flagged with intrusive full-page warnings. For now, though, it’s just being done with a negative indicator in the address bar.
There are other ways that the initiative is being pushed too, but the salient point to take away from all of this is that by the start of 2017, every website is going to be required to have SSL Encryption.
What is SSL Encryption?
An SSL Certificate is a web security product that facilitates an encrypted connection between a web server and a web browser, or to put it more simply: SSL Encryption secures communication between users and websites.
In reality, an SSL Certificate serves two functions. The first is encryption and the second is authentication. There are three authentication levels, ranging from domain verification to a full-blown business authentication. It’s this factor that differentiates SSL products from one another – as every SSL Certificate provides the same level of industry-standard encryption strength – but for the sake of this article, we’re not going to focus on authentication. The browsers just want your website to be encrypted, they don’t really care what the validation level associated with that encryption is. So while authentication is still extremely important, that’s another conversation for another day.
Encryption is what we’re going to focus on.
After you purchase an SSL Certificate and get it issued, you’ll need to install it and configure your server to start hosting your website over HTTPS. HTTP is the default protocol for communication on the internet. It’s been around since the beginning of the world wide web and hasn’t really seen too much updating.
While HTTP is an effective way to communicate, it isn’t secure. HTTPS is.
When a website has been configured to be served over HTTPS, it prompts whatever web browser a visitor is using to begin something called the SSL handshake.
We’re not going to go get too granular with our description of the SSL handshake—it’s quite complicated. We’ll just stick with the most important points while also taking a moment to mention that what’s actually happening is really an amazing feat of technology that takes place in the span of just a few milliseconds.
During the SSL handshake, a browser will first check for the validity of the SSL Certificate. A site being served over HTTPS is an indication that SSL has been installed, but the browser isn’t just going to take the site’s word for it. There are several safeguards that the browser will use to ensure that the certificate that’s being sent is trusted and valid.
Once that portion is done, and the website has proven that its certificate is valid and that it is the rightful owner of the public key associated with it, the browser and the site will negotiate the terms of their encrypted connection. Once this is done a pair of symmetric session keys will be created and exchanged. These session keys allow for both parties to encrypt any communication they wish to send to the other and to decrypt any communication they receive. Only the two parties with the keys – the site and the browser – can decrypt what is being received, meaning that all information that is exchanged is safe from the prying eyes of any potentially interested third party.
It is in this way that encryption can secure communication between a user and a website.
Once the user leaves the site, the session is considered terminated and the keys are discarded. Should the user return to the site, new session keys will be created and exchanged.
As you can probably see, the need for encryption is quite obvious. We use the internet on a daily basis for important business, whether that’s purchasing something, doing our banking or any range of other activities that involve the exchange of sensitive information.
Without encryption, you would be exchanging that information out in the open—meaning it can easily be intercepted or even manipulated. With encryption, that communication is secure.
The browser community believes that universal encryption should be the baseline for internet security. Like it or not, they’re going to get their way.