Did you know that HubSpot found in a recent survey that 82% of respondents would not browse a website if their web browser reported a security issue?
Oftentimes, this is related to how the Secure Sockets Layer or SSL is setup. Yet, many companies continue to fail at implementing and using SSL properly. Here are some common myths that business leaders may still believe about SSL.
SSL Myth #1 – If SSL is enabled, then every visitor will automatically be secure.
Only the transport is secured by SSL. Also, traffic must be forced over SSL. Otherwise you can end up with both SSL and non-SSL sites, mixed content error warnings and users being blocked by browser restrictions. Also, SSL does nothing in relation to other security concerns (open ports, server OS hardening, SQL Injection, XSS, etc.). Bad but widely used “web testing tools” like the website grader – ironically a service of HubSpot – perpetuate this myth.
SSL Myth #2 – All SSL certificates are the same.
There are actually different types – domain validated, organization validated and extended validation certificates. Domain validated is most common and easiest to obtain, especially with free services like Let’s Encrypt. Also, some configs may need to be updated for any number of reasons such as old cipher and protocol support. Maybe you’ve heard of Heartbleed, POODLE, CRIME, etc.?
SSL Myth #3 – My technology team keeps the technology up to date.
Unless this is part of their mandate, they may just be monitoring or installing patches when they get to it. Check your service level agreements with internal or external teams. Proactive monitoring and management may not be given the appropriate level of attention – instead being managed by exception.
SSL Myth #4 – I don’t need SSL for my website unless I’m selling something online.
Well, if you care about SEO, this is incorrect. Google has started progressively penalizing sites that don’t use SSL in both their search results and their Chrome web browser (maybe you’ve seen the red X?). Over time, SSL sites will be given the nod over their non-SSL competitors. In addition, most sites at least have a portal login or contact form. You don’t really think that should be used without SSL do you?
SSL Myth #5 – SSL slows down my website.
With HTTP/2 the speed difference is negligible. This is because it multiplexes and thus uses one connection for multiple request and response messages at once. Also, header compression and server push allows both real and perceived benefits to load times.