by Sophia Meral Chapar, Solia Special Projects-
Site security consists of a few different pieces. One necessary element is to harden the website itself against those who try to hack it by unauthorized entry. Another key element of security is to protect the communications between the user and the website. I address the second piece now.
Recall that unless steps are taken to encrypt a data stream, the information typed by a person using their browser and then transmitted over the Internet is sent “in the clear.” The digital packets of information can be intercepted by someone who injects himself between the user and the destination. Those packets can be reassembled, and reviewed. Real vulnerability can be found when uses use open public WiFi. A hacker with the right equipment who uses the same network can rather easily intercept data. A protective measure is to encrypt the data exchanged between the user and the site.
In some cases, the potential for interception is just not that big a deal. Let’s consider a website that primarily offers information to a visitor, but does not process visitor entered data or offer special access via a login. For example, if a website for a local restaurant just shows hours, menus, photos, a calendar and so on, that site is not soliciting private data. In such a case, almost nothing that the user is doing risks disclosure of the kind of private data that most people really need to protect. Yes, information about the visit can be discovered, such as the IP address of the visitor, the language of the client’s system, the browser used and similar information However, if the activity is otherwise legal, most people accept this. However, the user is simply reading and generally not transmitting information for which confidentiality is of high importance.
If alternatively a visitor is seeking to purchase a product with a credit card, the need for an encrypted connection is obvious. Encryption is accomplished by the installation of a “secured sockets layer” or “SSL” certificate. The certificate is installed on the web server. One important thing that does is allows the client to authenticate the server’s identity. Once the server has been authenticated, the information in the certificate allows the client and server to encrypt the information they exchange during the remainder of the session. The process is seamless to the user.
The websites we at Solia Medial develop are, by default, not configured with SSL certificates. So, when should SSL be used? In our view – as a minimum – anytime a site processes visitor logins for membership or for commerce. On our web commerce sites, nearly all financial transactions are handled by third party payment processors, such as PayPal or Authorize.net. In such a case, the client logs in, chooses their products, and upon checkout is redirected to that processor. The payment processor uses SSL, so even without our own site having SSL, clients’ financial information is encrypted. Nonetheless, the clients, and indeed the administrators of the site, are routinely logging in – sometimes over public wireless connections. Their login information is important to them and it should be encrypted.
Also, savvy shoppers and other clients are now aware the that status of a site as secure can be determined by looking at the address bar of modern browsers. Some of them abandon their visit if they note that a connection is not secure.
SSL can be implemented for about $75 per year. That’s a good investment for a site that needs a secure connection. Call us if we can help.