Predictions and tips for protecting your websites and apps in the coming year
It’s 2017 – has been for a few weeks now – and the world of cyber security is as relevant as ever. Think about it, in the last year we’ve had a debate over master keys between the US government and Apple, allegations of Russian hacking during the US election and Yahoo hemorrhaging almost a billion usernames and passwords.
Face it, the internet has become an integral part of our lives and the threats that come along with using said internet have grown into one of our chief concerns.
So what’s the best way to keep your websites and mobile apps protected and trusted in 2017?
Well, this year it’s all about connection security.
2017 is the Year to Get SSL for Your Website
There are a number of reasons you need to encrypt your website if you haven’t already. We’ll start with the theoretical reasons, then get into ways the browsers are trying to “motivate” you to encrypt and finally we’ll end with a discussion over how much authentication you need when you do finally encrypt.
Let’s start with why you need SSL in general.
SSL, which enables encrypted connections via HTTPS, is a prerequisite when it comes to internet security. Without SSL your website is resigned to HTTP, which is capable but unsecure. Over HTTP, connections are not encrypted so any capable third party can eavesdrop, thus opening up the potential for data theft and manipulation, as well as other malfeasance like man-in-the-middle attacks.
The logic used to be that you only needed SSL if you ran a website that collected sensitive information or sold something. That’s no longer the thinking though, in fact, the browser community thinks every website should be encrypted.
That’s why they’re basically mandating SSL in 2017.
Now, the browsers are positioned in the internet marketplace in a way that makes them integral. The vast majority of us could never navigate the internet without a browser, and websites need the browsers to connect them with consumers. Heck, the biggest browser, Chrome, is backed by a company, Google, that also runs the world’s top search engine—which makes it even more influential.
Basically, what the browsers say, goes. And they say encrypt. They’re saying it by:
- Offering a 5% SEO boost to encrypted websites
- Making advanced browser features exclusive to HTTPS sites
- Flagging email that emanates from unencrypted web servers
- HTTP/2 is only available to sites with encryption
- Non-HTTPS sites are going to be marked “Not Secure”
In particular, marking unencrypted websites “Not Secure” is going to be extremely disruptive. In general, people do not respond well when you tell them they’ve reached a website that isn’t secure. That alone will crater traffic, hurt conversions and inspire tons of site owners to invest in SSL certificates.
Look, you’re going to encrypt in 2017—like it or not.
So, what type of SSL certificate do you need? Well, keep this in mind. Everyone is about to be in a similar position where they either have to encrypt or have their site labeled “not secure.” And Google has already changed its security indicator for SSL encryption from a green padlock to the word “Secure” in green font with a padlock beside it.
These new indicators are going to create a new binary, websites will be judged in a single glance—either “Not Secure” or “Secure,” and by extension, safe.
Now consider the fact that free SSL services like Let’s Encrypt have made it easier than ever for cybercriminals to get SSL. For example, and this isn’t to pick on Let’s Encrypt either, but the CA only checks the Google blacklist before issuing, which means as long as Google hasn’t blacklisted your malicious site yet, you can get free SSL from Let’s Encrypt and have your site labeled “Secure.”
As of Tuesday, January 25th, Let’s Encrypt had issued 792 SSL certificates for websites with the word “PayPal” somewhere in their domain name.
Phishing is going to increase exponentially in 2017. You might not think that phishing could affect you, but according to the CA Security Council, 71% of small and medium business have been targeted by cybercriminals in the last year. Now consider that, per the National Cyber Security Alliance, 60% of the small businesses that get attacked go out of business within 6 months of the incident and hopefully it’s clear that this is not something you can afford to mess around with.
The best way to protect your website and your brand, while also inspiring trust in your customers and aligning yourself with the world’s top companies is to invest in Extended Validation SSL.
EV SSL features the green address bar, an unimpugnable visual indicator that displays your company’s name and country of origin in green next to the URL in a browser’s address bar. EV SSL immediately verifies your company’s identity to anyone who visits your site. It differentiates you from the competition. And it even pays for itself. That’s right, study after study verifies that EV SSL increases conversions. That’s actual return on investment. Not only are you protecting your customers, you’re making a statement about your company with the green address bar.
You definitely need SSL in 2017, but if you have the means you should invest in EV—leverage the power of SSL for all it’s worth.
It’s All About Encryption for Apps, too
Apple’s big announcement at the end of last year was that it would be delaying its deadline for apps to support App Transport Security (ATS). Originally the goal was January 1, Apple has not announced a new deadline since delaying its original one, though.
ATS is basically akin to enabling SSL for your mobile apps. It forces all apps to make connections with web servers via HTTPS, which is secure. This is frankly a no-brainer, but with all the different third party advertising, hosting and analytics services that many app developers use, and their own delays migrating to HTTPS, adoption has been slow.
Still, any app you build moving forward for iOS needs to be ATS-enabled. Likewise, Android has a similar encryption system—it’s time to embrace that too.
People’s mobile phones are a vital part of their everyday lives. Increasingly, mobile security is a major concern. Apps serve as a very enticing attack vector for cybercriminals. Many apps are making connections with various servers constantly, even behind the scenes, allowing those connections to stay unencrypted creates all kind of potential dangers. Really, it’s a wonder this hasn’t been more exploited already.
Regardless, all developers will need to make sure their apps are capable of making encrypted connections from now on, that should now just become a standard best practice.
And there you have it, 2017 is going to be a big year for connection security. Whether it’s a website or an app, it needs to be making secure connections if you want to keep your customers – and your brand – safe.