In the coming months, there will be many changes regarding website hosting and security. If you and your web host are not prepared, your company runs the risk of several issues including (but not limited to) failing PCI scans resulting in bank fees and your site being marked as insecure to all its visitors. Is your website prepared?
Is Your Site Secure?
When you purchase something at a store, would you write your credit card number down on a piece of paper and hand it to the cashier? If left out in the open, anybody that sees it would be able to steal your credit card. To prevent that “leakage” of information from your customers, websites use SSL (Secure Sockets Layer) certificates. When your site is secured with an SSL certificate, the information entered by your visitors is unreadable (encrypted) to everyone except the server you are sending the information to.
There are many ways to obtain an SSL certificate for your website, some free, some paid. To determine which is best for your business you need to consider a few facts. While technically “free”, companies who offer free certificates, like Let’s Encrypt, are only good for a few months at a time. When they expire, they need to be renewed and replaced. They also require some technical knowledge and cooperation from your hosting company in order to install them on your website. A domain validated, paid certificate can be purchased for $99/year or less depending on the vendor and term. They also provide limited liability protection in case of some data breaches, and usually last between 1 and 2 years before needing renewed. Paid certificates can also have higher levels of validation that more strongly vet your company and show as more authoritative in web browsers.
Disabling of TLS 1.0, 1.1
When you need to blow your nose, you might ask for a Kleenex. It’s really a tissue, but the brand is so strong the two words are synonymous. Technically, SSL certificates are actually TLS (Transport Layer Security) certificates. SSL references an older, insecure technology, but the term has stuck so most people call them SSL certificates. SSL was replaced with what was called TLS v1.0. Other versions of TLS have evolved over the years including v1.1 and v1.2. Like SSL, TLS 1.0 and TLS 1.1 are now considered insecure because there are vulnerabilities, some theoretical, some real world for those versions that could lead to data exposure.
Several years ago, and several large data breaches later, The Payment Card Industry Security Standards Council (PCI SSC), decided that any web server running the older SSL and TLS protocols would be considered insecure and they would raise a business's rates and charge fines if they didn’t remove their support. After several extensions and finally the development of the PCI 3.1 standard, a hard limit of June 30, 2018 was set. If your web host still supports those protocols and you take credit cards online, you run the risk of being fined for not being PCI compliant. You can test your website at https://www.ssllabs.com/ssltest/ to determine how well your web host stacks up against others.
If they are so much trouble, why not just turn off these vulnerable protocols and go with the latest and greatest, TLS 1.2? Unfortunately, it depends on the visitors to your website. Early versions of every web browser, including Chrome and Firefox, did NOT support TLS 1.1 or TLS 1.2. Some such as Internet Explorer 6 didn’t even support TLS 1.0. This means that if your web hosting company turns off support for TLS 1.0 on their servers, customers who use these browsers won’t be able to connect to your website to look at your company or purchase your products.
That’s ok, if every website is requiring this, customers can just upgrade to a newer web browser, right? Unfortunately, what makes the situation worse is that if they used an older operating system such as Windows XP, TLS was not enabled out of the box. Those systems require patches and upgrades to be allowed to use the newer browsers.
Yes, but nobody uses Windows XP, Vista, or Internet Explorer anymore, right? As a web developer, I wish that were the case. Unfortunately, many government agencies and older businesses still run on Windows XP. If your business has a government contract, you might not be able to remove those protocols even though your website might start failing PCI compliance scans because they are enabled. Fix one problem, cause another…
Google As A Factor Forcing HTTPS
We all know Google has been the dominant search engine on the Internet. Because of their market share, they have been able to push for companies to install SSL certificates on their websites. Google noted that it can protect the integrity of your website by protecting the data as it travels back and forth between your visitor and your website. They also point out that it protects the privacy and security of your users by encrypting all data instead of just sensitive data. Most importantly, Google has started using it as a ranking indicator giving preference to websites communicating over HTTPS (HTTP over TLS). That means that if all things were equal and your competitor uses an SSL certificate and your website doesn’t, your competitor will rank higher in search results.
Websites Branded as InSecure
Another of Google’s initiatives was developing the Chrome web browser. Chrome quickly gained market share because it was fast and worked well. Once they had a strong user base, Google was able to push some of their initiatives easier. In January 2017, Chrome started flagging websites that requested information from their visitors without the presence of an SSL certificate. End users would see the following:
At the time, this only affected sites that had forms on their website that collected login/password information or credit cards. Starting with Chrome 68, which will be released in July 2018, that changes. With version 68, any website that communicates over HTTP only (meaning no SSL certificate) will be marked as “not secure” in the address bar of Chrome. It’s expected that other browsers such as Firefox, Edge and Safari will follow suit.
How Can IDMI.Net Help
With the coming changes to browser security, IDMI.Net highly recommends that all websites deploy an SSL certificate so they can communicate over HTTPS. The benefits of potential search engine ranking boosts, secured communications with customers and not having customers see your website as “insecure” greatly outweigh the drawbacks of $100/yr for the SSL certificate.
At IDMI.Net, we do not employ Free certificate solutions, because the technical support required to deploy them usually ends up costing more than to purchase a domain validated (DV) certificate from a trusted certificate provider such as Comodo for one or two years. We also offer Organization Validation (OV), Extended Validation (EV) and wildcard certificates upon request.
By July 2018, all our web servers will also have removed support for TLS 1.0 and TLS 1.1 so that our customers will be able to pass PCI compliance scans. We will still offer servers for customers that require TLS 1.0 to support certain scenarios, but we consider that to be the exception moving forward.