Do I need SSL on my website? Does https guarantee security?
There is a great deal of mis-understanding about SSL/https, so what does it actually mean and how does it work? SSL is an abbreviation for Secure Sockets Layer. In essence this is a safety certificate that is installed on the server where the website is hosted and is specific to your domain/website. When someone visits the website and the page URL is shown with https instead of http this is a secure connection and means that any information passed to the server from your browser (e.g., when you fill in a contact form) will be encrypted using a unique key. In this instance the browser will show a secure padlock icon. The encrypted information cannot be intercepted by hackers or read. In fact, the chances of them being able to unscramble your information is literally billions to one against.
All this sounds great and we do encourage most clients to have https/SSL for their websites as it adds re-assurance to site visitors, removes any warning messages from browsers and search engines and is generally a good thing, but there are some important points to remember:
- A website with SSL is not necessarily secure - The reason for this is that SSL protects the information in transit but your data can still be stored in a database on the web server and that may not be 100% secure. It is also possible for websites to contain malicious code or use crafty techniques such as iframes that show content from another website within a page.
- A website without SSL is not necessarily a risk - If the website is not collecting any information from you and is largely static there is no data being passed from you to the web serve that needs to be encrypted.
- Some browsers will show mixed security messages - This can happen when page assets are linked in from other sources and those sources do not offer https. This is not necessary a risk for things like images though.
- An SSL certificate is not the magic bullet of security - There are many other aspects to website security and it is a subject too large to cover here. We build all websites with security in mind and have many websites that are routinely scanned using penetration testing methods. Please be sure that your website agency are aware of the need to implement other security measures and in particular off-the-shelf CMS systems such as Wordpress need to be patched and updated regularly as they are continually breached and exploited by hackers.
SSL certificates are relatively inexpensive and can be added to all of our hosting packages for peace of mind. Please contact us for further information.
Posted: August 2021