Megan Rehbock, LAWtrust Certificate service manager
Websites have been using SSL technology for years to ensure their security, and the certificates and their uses are well understood. SSL that only protects users at login, however, leaves them vulnerable when they're spending time on your Web site.
"SSL," says LAWtrust Certificate service manager Megan Rehbock, "is like a safety belt for secure websites and it should always be on across your entire website to protect your users with persistent security from login to logout – be it via Web browser, mobile device, e-mail client or other Internet applications."
Always-on SSL is an essential and cost-effective measure that provides end-to-end protection for website visitors from start to finish, making it safer to work, socialise and shop online, she says. Always-on SSL encrypts all information shared between a user and machine, including all pages and cookies. It is not a product, service or replacement for your existing SSL certificate, but rather an approach to security that recognises the need to protect the entire user session, and not just the login screen or home-page.
Recognising the importance of persistent protection and working hard to provide users with a secure experience across their platforms, some of the world's largest and trusted Web sites, including Facebook, Google, PayPal and Twitter, have adopted always-on SSL and are using HTTPS to encrypt all communications transferred across their website. Facebook users no longer have to think about connecting securely, the decision has been taken out of the user's hands and the application automatically redirects the connection to https, thus encrypting the connection and ensuring data is transmitted securely.
Persistent HTTPS throughout your site and always-on SSL is not difficult to implement. Here are a few tips:
* Scan for and replace all instances of "http" with "https" on your website.
* Remove mixed content – ensure all content displayed on your website originates from HTTPS links. HTTP references could compromise the security of your site.
* Only allow HTTPS connections to your secure website.
* Set your cookie flags to "secure".
* Enhance security and trust with Extended Validation SSL Certificates.
* Never use self-signed SSL certificates, only use certificates issued by a trusted certificate authority (CA).
* Disable null ciphers, short bit lengths and SSL version 2.
* Make sure that your CA signs and issues your certificate using SHA-2 hashing algorithms.
Vulnerabilities such as session hijacking, side-jacking, and man-in-the-middle attacks are some of the risks you expose users to if you do not implement always-on SSL. Implementing always-on SSL will help give users the assurance that you take their security and privacy seriously, and that you are taking reasonable steps to protect their identities and private information.