SSL: Website Security
Over the past few months I have dealt with SSL website encryption on a number of ccasions and it has got me thinking about the slow adoption of SSL on websites.
The Past
In the past SSL was used to encrypt communications between the users browser and server for important things like e-commerce or ideally whenever you enter any personal information. This limited role was used because certificates were expensive and browsing over a secure connection was slower, neither of these things are true today.
The Options
You can get an SSL certificate for £44 from Go Daddy this coupled with the speed of home computers and low cost of server hardware means its easier than ever.
As an alternative to getting a certificate for your site you can use a service such as CloudFlare, they offer a really cool caching service for improving the performance of your site but they also off SSL protection. Their service sits inbetween the user and your webserver; their standard SSL offering will encrypt the connection between the user and CloudFlare, this is enough to protect the users and stop people from sniffing their traffic and seing what they are doing.
The Chalanges
Despite what I have said above their can be hurdles to overcome, sites typically include content from various different sources, this will need to all be served via an SSL connection and sometimes this isnt an option as I found out when switching Crunch to SSL only, all the content was available over a secure connection except for some Skype javascript which had to be hosted locally to work around the limatations.
The Problems
Despite the simplicity of implimenting SSL most web browsing happens over an unsecure connection, this may not be a big deal but with the increasing popularity of public WiFi access points its easier than ever to watch what people do on line, Firesheep was a great example of how mainstream hacking like this is becomming. If you connect to a website using an SSL connection you make it a lot harder for anyone to see what your doing, it turns from something anyone can do to a more serious targeted attack.
The Future
Over the past few years more services have started to operate fully via a secure connection, Gmail, Twitter, Facebook and soon Google. Last year when I released FTP-CMS I added an option to force users to use the site via SSL, this should probably have been SSL only but its better a lot of other sites.
Hopefuly over the next decade SSL will become the norm and rather than browsers displaying a padlock or green bar if your browsing securly they will display something if your not.
If your thinking about an SSL certificate for your website don't think about why you should have one, try and come up with reasons for why you shouldn't.