Introducing “Always-on SSL” and Why It Most Likely Is Right for You
The following is a guest post written by Tim Callan, senior fellow at Sectigo (formerly Comodo CA). StackPath partners with Sectigo to provide our CDN and WAF customers with free private SSL certificates. You can learn about the partnership and about StackPath EdgeSSL.
For many years most online businesses have followed a specific strategy with their use of SSL certificates. Though it doesn’t really have a name, we could refer to this strategy as a “Minimum Viable” SSL implementation. In the Minimum Viable approach, companies have included SSL certificates on any page that exchanges confidential information in either direction and omitted it from any page that did not.
Confidential information includes personally identifiable information (PII), credit card details, personal health information (PHI), business secrets, and basically anything else you wouldn’t want any random stranger to be able to see. The types of pages that companies using the Minimum Viable approach have secured with certificates include things like:
- Shopping carts and purchase pages
- Login pages
- Account pages
- Online services for which the user has to log in
- New account or signup pages containing forms to be filled out
The businesses using Minimum Viable SSL would not include pages containing general information they felt anybody in the world should be able to see. These include home pages, product and service detail pages, company information, blogs, press coverage, and much more.
Until this year Minimum Viable SSL was a perfectly, well, viable approach. However, that is no longer the case. As of now there are highly compelling reasons for businesses to use SSL on all their sites regardless of how they’re used or what kind of content they contain:
Google Chrome now marks all pages without SSL “Not secure.” No matter what the content or purpose of a given web page is, as of summer 2018, Chrome prominently displays the phrase Not secure to the left of the URL that starts with http://. This kind of warning message can be off-putting to site visitors, resulting in decreased transactions, concerns about the safety of doing business on this site, and a poor brand perception.
Popular search engines give better search ranking to content under https. This search engine behavior has been a well established fact for the past decade, but many online business site managers are still unaware of it. As that unsecured information is often made available specifically to be found by readers, businesses should give themselves every advantage they can.
The old objections to SSL don’t apply today. In the 1990s and early 2000s IT teams seeking to speed up web serving and reduce load on servers would judiciously apply SSL only when they deemed it necessary for an explicit security need. These decisions became norms and eventually habits, but the original reasons to do so aren’t valid any more. While encryption does introduce extra overhead, bandwidth has increased exponentially since the web’s pioneering days, in part to account for heavy media like video, sound, and large images. The encryption overhead isn’t noticeable in common use cases.
Likewise, the amount of computing power available on both servers and desktops has also increased by orders of magnitude thanks to Moore’s Law, once again removing the objection that encryption places a burden on the communication.
Finally, TLS 1.3, published by the IETF earlier this year, greatly decreases handshaking time for SSL connections. TLS 1.3 is already supported by 80% of browsers in use today.
So, when you consider all these factors, the conclusion is clear. All business sites should include SSL on all pages, not only those intended for customers but also pages for partners, employees, and the public at large. They will provide a better experience to these audiences with content that’s easier to find – all with no noticeable performance burden.