Web sites have been using SSL technology for years to ensure their security, and the certificates and their uses are well understood. SSL that only protects users at login, however, leaves them vulnerable when they're spending time on your Web site.
"SSL," says LAWtrust Certificate service manager Megan Rehbock, "is like a safety belt for secure Web sites and it should always be on across your entire Web site to protect your users with persistent security from login to logout - be it via Web browser, mobile device, e-mail client or other Internet applications."
Always-on SSL is an essential and cost-effective measure that provides end-to-end protection for Web site visitors from start to finish, making it safer to work, socialise and shop online, she says. Always-on SSL encrypts all information shared between a user and machine, including all pages and cookies. It is not a product, service or replacement for your existing SSL certificate, but rather an approach to security that recognises the need to protect the entire user session, and not just the login screen or home-page.
Recognising the importance of persistent protection and working hard to provide users with a secure experience across their platforms, some of the world's largest and trusted Web sites, including Facebook, Google, PayPal and Twitter, have adopted always-on SSL and are using HTTPS to encrypt all communications transferred across their Web site. Facebook users no longer have to think about connecting securely, the decision has been taken out of the user's hands and the application automatically redirects the connection to https, thus encrypting the connection and ensuring data is transmitted securely.
Persistent HTTPS throughout your site and always-on SSL is not difficult to implement. Here are a few tips:
* Scan for and replace all instances of "http" with "https" on your Web site.
* Remove mixed content - ensure all content displayed on your Web site originates from HTTPS links. HTTP references could compromise the security of your site.
* Only allow HTTPS connections to your secure Web site.
* Set your cookie flags to "secure".
* Enhance security and trust with Extended Validation SSL Certificates.
* Never use self-signed SSL certificates, only use certificates issued by a trusted certificate authority (CA).
* Disable null ciphers, short bit lengths and SSL version 2.
* Make sure that your CA signs and issues your certificate using SHA-2 hashing algorithms.
Vulnerabilities such as session hijacking, side-jacking, and man-in-the-middle attacks are some of the risks you expose users to if you do not implement always-on SSL. Implementing always-on SSL will help give users the assurance that you take their security and privacy seriously, and that you are taking reasonable steps to protect their identities and private information.
Share
LAWtrust
LAWtrust is a specialist security solutions provider that builds trust in information systems through establishing authenticity, accountability and privacy in data messages. It focuses on applying digital signatures and positive identity to business processes, saving time, lowering costs and reducing risk for businesses.
LAWtrust operates the only WebTrust certified Trust Centre in Africa, is included in both the Adobe and Microsoft Trust Lists as a Trusted Root Certificate Authority and was the first accredited authentication service provider under the ECT Act to provide Advanced Electronic Signatures. http://www.lawtrust.co.za
Editorial contacts