Your data is expensive, and that is the main and the only reason why people are eager to have it. As a webmaster, you should provide the best or at the very least, a security option for your users. Your users may not want your protection, but in fact they need it.
Average website visitor knows how to protect themselves on the web. Like for example: not putting private information on forms, not posting anything offensive or keep email address to themselves and to only those they respect and trust. But not everyone knows that.
It's just a matter of time until users that pass tremendous amount information will reveal sensitive information. If you are the one they trust and respect, their private information should be safe with you. But to hackers and third-parties, they aren't.
Sensitive information can pass back and forth via the internet through LAN (Local Area Networks), VPN (Virtual Private Networks) and others. What stop hackers and information thieves into tapping those sensitive information would be encrypting them, or better known as using SSL (Secure Sockets Layer).
At the very least, SSL can protect:
- User identities such as username and passwords credentials/
- Sensitive information about purchases and methods such as credit cards and other method of online consumer purchases.
- Financial and health information that should be kept secret to only the person involves.
- Social security numbers and other sensitive information that can direct to the user.
- Corporate information that are passed from branches/divisions to another.
- Etc..
How SSL can protect such sensitive data is by using a Certificate to provide secured connection with a server. The process include:
- A client (user's browser) requests a SSL connection.
- The server sends a Certificate.
- The client then validates the Certificate to create a session key that will encrypts the Certificate with the key.
- The server decrypts the session key and establishes an encrypted connection.
After a secured connection is established, the Certificate that the server sends out is the one that will make the whole process of secured transaction work. The Certificate contains the common name of the server, making it impossible to use it on other servers. It also uses keys, a public and private key, to create and verify a secured connection.
Encryption Drawback For Average Users
Getting a website secured is not difficult, and doing it will give a lot of security to both yourself and your users. However, there are some downsides you need to know before using it.
The first is speed. Using SSL to secure every pages that you create can be a bad practice. Most of your pages may contain images, videos, data, text and other sort of data. Making all of them load fast and easy on your website might already be a problem for you. Encrypting them will just make them worse.
To initiate and process secured information transaction, both parties are required to do extra work in exchanging handshakes and encrypting and decrypting the messages. This form of communication makes things slower compared to the usual non-encrypted method.
Performance tests have revealed that using SSL between the agent and the runtime server, can increase network traffic to up to three times as much. This in turn will reduce the sped of response of the runtime server to agent requests by two to ten times. Despite all of this extra work is actually done by a web server, your visitors' computer/mobile device can also get the impact on other activities that the runtime server is also performing.
If you encrypt all of your pages, you can make most of your visitors impatient and bounce to other website they see better (faster). As a good rule, only use encryption to those pages that are necessary, and try to consolidate encryption needs to as few pages as possible.
The next disadvantage is setting it up. If done wrong, or if you have only the slightest idea of how internet communication protocols do, setting up HTTPS is complicated and error-prone. To make the whole setup work, you also need to deal with Certificate authorities. After you have SSL enabled, maintaining it is the next thing that should come in your mind.
Using HTTPS for your website can also be expensive, despite the fact that the technology that SSL is based on is open-source and freely available for everyone. This also, in fact, can be a major drawback to some people.
Most if not all web hosting companies have SSL ready to use. But they usually charge extra money each month. Additionally, websites that use HTTPS can't embed contents from websites that don't.
Related: Essential Features of Web Hosting
While SSL on paper should be enough to secure a web page, you should be aware that it can be potentially dangerous to allow inbound SSL traffic to pass directly to your server. Hackers can use SSL to encrypt their attack traffic, making them even more difficult to trace. A way to inspect this kind of traffic while simultaneously maintaining privacy is by using an application-layer firewall.
Another drawback is SSL connections will also let old software or a misconfigured server choose an encryption method that can be broken. If you're using an insecure cipher, you might not even know it, since, as long as it's done SSL, the web browser will still say its secured.
So before you want to implement secured connection to your website, you have to first examine the type of data you need to communicate. Look at the security measures you might have in place (ie: proxy servers, enterprise firewalls, or others), and then evaluate whether you need this level of security.
Finally, SSL is just a one solution, and it's just a partial answer to data security. Even if everything works perfectly with your SSL connection, the data could still be compromised on either end. For example, if your users send their credit card data to you over SSL, but your server isn't secure, hackers can still compromise the data and steal them. These data breaches happen relatively frequently. At some points of its time, SSL can give you a dangerous false sense of security.
But if you would try to think about it, the disadvantages are just a few compared to the benefits. If your website needs security, particularly when there is a need of giving personal information, using SSL as a solution could be the best answer.
Further reading: Protecting Yourself from Internet Data Exploitation