It’s amazing how quickly an environment can change. That can’t be denied. This post was planned weeks ago, but it’s taken on new urgency in recent days. No overly specific event has directly caused that, just a timeline of peaceful protests, to gag orders, mandating EPA scientific studies, data undergo review by political staff before public release, and the creation of rogue twitter accounts (such as for the National Park Service). Today I’ll cover a bit about security, specifically https and ssl certificates. I’ll cover, at a basic level what they are, and what they aren’t. How to evaluate if they’re helpful for your website and several options for implementing them. I’m also including a list of helpful resources I’ve found. Along the way you’ll find out how as a user of technology how these protocols can help you browse safely and securely.
What does HTTPS do?
Highly simplified, HTTPS helps prevent eavesdropping on the information passed between the server and your web browser by encrypting that traffic. It doesn’t increase the security of the web server. If someone can log in and access the server (or worse gain root/super user access), the most expensive SSL certificate (which signs the Secure part of your HTTPS) won’t help. Let me repeat that, HTTPS is only for the traffic between the web server and the local web browser.
Why is it useful?
Public WiFi is incredibly insecure. It’s really easy to sniff out the traffic that goes back and forth between the web browser and the target web server. Unless your connection is encrypted, someone could find out what you send via email, your credit card information or your search terms.
I heard it’ll affect my search rankings!
If you sell on an ecommerce site, your shopping cart should, at the very least, be secured. Back in 2014 Google started to push to HTTPS Everywhere. While HTTPS may have an impact on where you show up in a search result, you should focus first on content not rankings.
I have a website, how do I get an SSL certificate?
If you only need to secure traffic, I recommend Let’s Encrypt. They’re free! Not all web hosts support Let’s Encrypt yet. This is for a combination of reasons, mostly because suddenly they find people want the free version and they’re getting less money. Some offer their own certificate; I’m testing these and will write a new post when I have better information for hosts that many of my clients commonly choose.
If you need a certificate that is Organization Validated (OV), then it’s best if you talk to your hosting provider. While you can buy certificates elsewhere, it’s definitely much easier to buy through them. The cost of these certificates range greatly, but begin at $29 and average about $120 for simpler certificates. What is OV? It means that you are the organization you say you are, not just someone who has access to the server to install the certificate.
I want to browse the web more securely, but the websites I want to visit aren’t HTTPS!
Fill out the contact form and let them know! Thankfully The Electronic Frontier Foundation has a project to help you out now: HTTPS Everywhere. You can find more details about it on their site.
There’s quite a bit more I could have added to this post (and was included in early drafts). I likely will come back to address many of these topics. However, it’s very easy to be overwhelmed with all the things we need to do in this new climate. This is a start. Please think about how you browse the web. Below you’ll find a few links for more information about how to protect your technology and yourself.
A DIY Guide to Feminist Cybersecurity. This is an incredibly comprehensive guide to everything from providing anonymity to securing your phone and even social engineering and phishing. It is well written, well organized, and useful to read. Do you need to do all of it? No. I don’t think most people reading this post are in a situation where they need full anonymity and amnesia in their technology. This guide definitely provides a comprehensive look into cybersecurity.
The Electronic Frontier Foundation. This is THE group I go to when I need to catch up on news about technology and privacy. They have multiple projects that are helpful, in addition to the HTTPS Everywhere mentioned above there is also Privacy Badger, and several more.
You May Have ‘Nothing to Hide’ But You Still Have Something to Fear – For a long time I honestly wondered “Why bother”? This article from the ACLU very clearly explains how privacy is necessary for a dignified life. Still not convinced? Reread Kafka or Orwell. I’ll be here.