Secure Sockets Layer (SSL) protocol and its successor Transport Layer Security (TLS) protocol secure connections between web servers and browsers. If a company’s website requests sensitive data such as credit card information, then SSL/TLS certificate is a must. Especially, e-commerce websites use SSL/TLS to encrypt such information.
Do I need an SSL/TLS?
SSL/TLS has become almost mandatory for many companies’ websites, especially in Europe thanks to GDPR (we will come to that in a bit). If your website has one of the following features, you definitely need an SSL/TLS certificate.
- E-commerce site that collects credit card information. If you use a 3rd party payment processor, then you may not need an SSL/TLS, but you have to make sure that 3rd party has it.
- Any login information required. If your website a login feature asking for e-mail address or username with a password, an attacker can clearly see these credentials in clear text in the absence of SSL/TLS certificate.
If your website does not have any of these features, you may think that you do not need an SSL/TLS. Well, think twice. Because Google now flags websites as safe and not safe based on SSL/TLS absence. If you do not have an SSL/TLS certificate, then outside world will see you as a unsecure website and people will be reluctant to visit it. If you care about brand reputation, SSL/TLS certificate is something to consider. From now on, it is not just a HTTP vs. HTTPS look, but it is “Secure” vs. “Not Secure” look. Having an SSL will positively affects ranking in Google search.
What is GDPR’s take on SSL/TLS?
Europe Union’s General Data Protection Regulation (GDPR) has recently become effective. The regulation clearly states that websites that collect any personal information (even with contact forms) are obligated to secure the collected data. GDPR does not explicitly make SSL/TLS use mandatory, but some requirements can not be met in any other way. Article 32 states that;
“…the [data] controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;…”
In other words, it implicitly states that, to make sure your website GDPR compliant, you need to take state-of-the-art measures to secure collected data. SSL/TLS is the de facto method to do so. You can find more information about GDPR-compliance of a website here.
Is my website secure enough when I have an SSL certificate?
Unfortunately, having an SSL certificate is only the first step to be secure. Either you get your own certificate or use a shared certificate, but at the end you should check certain configurations and vulnerabilities. Some vulnerabilities such as HeartBleed, a vulnerability in OpenSSL, are quite harmful. For example, an Heartbleed attacker can steal certificates, usernames and passwords, instant messages, e-mails, business critical documents and communication without using any privileged information or credentials and without leaving a trace.
SSL/TLS configurations and vulnerabilities are provided by several third-party online services. The results come from various online SSL grading services like Qualys SSL Labs scanner, HTBridge, Mozilla Website Observatory etc. Checking all these SSL/TLS grading services and conversion of these raw data to intel would be too much for a certain company, especially for large companies that have thousands of assets and work with many third party vendors.
Black Kite Cyber Risk Scorecard provides a comprehensive SSL grading and measures the strength of SSL/TLS with an easy-to-understand letter grade. Grading is done by four steps;
- Look at a certificate to verify that it is valid and trusted
- Inspect server configuration in three categories: (a) Protocol support (b) Key exchange support (c) Cipher support
- Combine the category scores into an overall score
- Apply a series of vulnerability checks including but not limited to HeartBleed, LogJam, POODLE, FREAK, BEAST etc.
Black Kite recently conducted a survey, which reviews trends and insights from Cyber Risk Scorecard key data points that include detailed external security risk data from cyber risk scoring for 5,217 organizations across multiple industries and over one million active assets on the Internet, including web and network devices. The strength of SSL/TSL configurations for 5000+ websites and applications owned by organizations in the study are investigated. It seems that one in five organizations received a D or lower score.
Black Kite Cyber Risk Scorecard provides easy-to-understand letter grades for 20 categories (including SSL/TLS Strength) and the table below shows average grades for different industrial categories. In the sense of SSL/TLS strength, Companies in Education and Healthcare have the highest risk with a grade of C+, a grade which shows that beginner-to-average hackers can practice their skills.
6 simple steps to increase your SSL/TLS strength
There are six simple steps that will makes your website more secure with SSL/TLS;
- Only support strong protocols (TLS protocols – TLS 1.1 and TLS 1.2)
- Use ephemeral key exchanges (Perfect Forward Secrecy – PFS)
- Only support strong cryptographic ciphers
- Support TLS-PSK and TLS-SRP for mutual authentication
- Only support secure renegotiations
- Disable compression
Black Kite’s non-intrusive Cyber Risk Scorecard can discover all the assets of a company by using only its domain name, determine the domains with SSL/TLS certificates, and check validity and trustworthiness, configurations, and vulnerabilities on SSL/TLS used. To act now and learn your cyber risk score on SSL/TLS Strength among other categories, visit www.blackkite.wpengine.com.