As long as your website is functioning normally, you may not spend a lot of time thinking about its security configuration. Why fix what isn’t broken, right? Well, there are of course good reasons.
First and foremost, getting hit by a major hack is a time consuming and expensive prospect to fix, can cause corruption or loss of your web files or data, and puts a smear on your very public face – your website.
Taking a few steps in advance will help you avoid future problems.
Big changes to the way you need to secure your site
Most people who think about securing their site think about it in terms of some pretty cut-and-dry concepts.
- Is my software up to date?
- Do I have encryption enabled and enforced?
Those are great, but sometimes security is more nuanced.
TLS (aka Transport Layer Security) is the security technology establishing an encrypted connection between a web server and a browser. You may think of it by its former name, SSL or Secure Sockets Layer (many people continue to call it this).
Either way, this is what puts the “S” in your website URL, transforming “HTTP” into “HTTPS”.
You’ve probably already heard that search engines like Google are downgrading results for sites that don’t use HTTPS.
For that reason alone, you should update. But to really have your site secure, you’ll want to go a step or two further.
As you may have guessed from the fact that SSL became TLS, there have been several versions of the underlying protocol that handles encryption.
At the time of this writing, there are the following versions: SSL1, SSL2, SSL3, TLS1.0, TLS1.1, TLS1.2, and TLS1.3 (Phew!). And many of these have been around and functioning for a LONG time.
TLS1.2, for example, which is the current recommendation, was defined ten years ago. TLS1.3 is new in 2018 and still a draft.
For now, you should consider TLS1.2 the way to go, since it’s the current mature version.
(No idea what you’re running and how safe you might be? Try out the Qualys SSL Labs server test.)
But are there drawbacks to going with just TLS1.2? Sadly, yes – old browsers.
If your audience is using a modern/up-to-date browser there will be no problem, but on outdated browsers, users will not be able to connect to TLS1.2.
This is true of all browsers, but most browsers automatically update themselves these days. However, there are those folks who simply won’t give up on Internet Explorer 10 or earlier. For them, TLS1.2 will be a no-go.
What do you do if that’s your audience? Ideally, ask them to update, but if you’re not running a commerce site, you can enable TLS1.0, TLS1.1, and TLS1.2 together for some broader backward compatibility without an issue.
(Commerce sites – pay attention to the stipulations of your payment processor, who likely has strict rules about which version you can use.)
So once I have TLS enabled, I’m all set, right?
In addition to the protocol in use, you need to make sure that the software used to handle secure communications is up to date. On Linux systems, normally you’re talking about OpenSSL.
You want to make sure that is current, so that known vulnerabilities aren’t putting a gaping hole in the middle of your secure setup.
What do I do if I haven’t done any of this and my website is still running on regular old HTTP?
Well, now’s the time to update, and the good news is that you have great options.
Sure, you can buy a certificate from one of the top providers like Digicert, but those can get expensive, especially if you handle a lot of domains. (Plus, even the “big names” can run into trouble! In 2017, Google dropped Symantec for violations of the trust process, knocking out huge numbers of existing security certificates.)
Another option is to use Let’s Encrypt. The name sounds kind of cheesy, but Let’s Encrypt – formed only 2 years ago – is completely geared around trying to make the entire Internet secure on TLS without cost.
And they’ve worked to make their process simple and easy to understand for server administrators.
If you’re still running on regular HTTP and want to better secure your site and keep your visibility with search engines, drop us a line and we can help get you on the right version of TLS quickly.