In the past many company shied away from the use of always-on SSL (AOSSL) but right now there is a growing interest in adopting AOSSL due to the increased threat from evolving cyber-attacks and the rising impact of breaches on organizations, companies and some personal website. We are encouraging companies, organizations and individual with functional websites to start using AOSSL because this will not only secure their website but will also drive a lot of business benefit to their businesses.
The Benefits of AOSSL to companies, organizations and individuals with functional websites
AOSSL is an approach to web design and implementation that uses HTTPS for all web pages, beginning with the home page. AOSSL provides the enhanced security needed in today’s cyber threat world, and in many cases delivers additional business benefits.
Organizations such as Google, Facebook, Twitter, and others have led the charge. Such companies were early adopters of AOSSL, and by their example other organizations have followed.
Using AOSSL is a change from past web design practices. Most companies use SSL only when sensitive information is transmitted to and from their sites. For example, it is quite common to use SSL when banking customers enter user names and passwords to sign onto their accounts or when shoppers enter their credit card information on a commerce site.
Many companies also utilize SSL to secure internal communications but may not secure every page. A user may pass between SSL-secured and non-secured pages in a single session. For example, if a user decides to continue shopping once he has entered the checked out stage of an online purchase, browsing the site’s online catalog may result in visiting pages that are not SSL-protected. During this process the transmission protocol shifts from HTTPS to normal HTTP. So while a user’s login credentials are protected, the session ID in the cookie is transmitted in plain text when the client browser makes new requests to the domain.
This can leave the client’s session vulnerable to hijacking and man-in-the-middle attacks. The consequences of these attacks are quite significant. The majority of financial institutions in numerous surveys considered these attacks to be the greatest threat to online banking. For online merchants, account takeover fraud that results in hijacking of customer information is on the rise, leading to the loss of $5 billion globally each year for the past several years.
Unfortunately, the situation is likely to get worse. Hackers increasingly have access to widely available and easy to use tools. These tools and others can steal insecure cookies and impersonate the user to steal personal information or intercept and reroute a user’s session traffic so it is converted to HTTP (thus “stripping” the SSL protection).
These exploits take advantage of weaknesses either in the transition from HTTP to HTTPS or during the handshake stage when an SSL session is being established. AOSSL prevents these attacks using several techniques. For example, AOSSL uses HTTP Strict Transport Security (HSTS), which allows websites to pre-designate that all communications must be over HTTPS.
From a business perspective, AOSSL offers several benefits. To start, savvy users today are looking for the extra safeguards of having their sessions on any site protected with end-to-end encryption. Those concerned with the growing problem of identity theft want stronger security. A company that employs AOSSL on its sites can tout the additional security it delivers as a differentiator. When clients or customers have a choice, they might decide that competitors that do not support AOSSL are a less favorable option.
In some ways, the use of AOSSL reflects a shift in the way many companies use SSL. For some years, SSL was employed for its encryption capabilities to ensure confidentiality of the information exchanged between a user’s browser and a server. But increasingly, SSL is relied on to enhance a user’s trust in a company’s security practices and to verify its identity. In particular, SSL conveys a message to users that the company is a legitimate organization and its identity has been vetted by an external authority.
A secondary business benefit of using AOSSL is its potential to get customers to a site in the first place. Google now boosts the rank of SSLsecured sites in its search algorithms. This is part of a broader Google effort calling for “HTTPS everywhere.”
AOSSL is one of many factors that can be used by a business in its search engine optimization (SEO) efforts. If the decision has already been made to use AOSSL for security reasons, the SEO rankings boost is a bonus that comes at no extra expense.
Currently, AOSSL has only a very lightweight impact on ranking, carrying less weight than other factors such as high-quality content. But this is likely to change. Google is keeping the impact on SEO rankings small to give companies time to switch to HTTPS, but it has indicated that over time, it may strengthen the impact to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
Why have companies avoided AOSSL all along?
Even with these security and business benefits, most companies have not used AOSSL in the past for several reasons. Perhaps the leading cause has been the perception that SSL needs to be applied only when secure information is being passed. As noted above, this is clearly not the case. The increased sophistication of today’s cyber-attacks and the growing use of these attacks to commit fraud are raising awareness for the use of AOSSL.
A second reason many companies have not used AOSSL has to do with the perception that AOSSL is computationally intensive, requiring much more powerful systems to host websites. In particular, there has been a perception that running AOSSL would greatly increase CAPEX and OPEX costs related to operating a website. On a high-volume website, the assumption has been that the additional computation muscle needed to perform the associated encryption/decryption on AOSSL would require investment in new hardware.
Fortunately, perception does equal reality. Google researchers testing the impact of SSL on system performance found that it increased the CPU workload on its systems by less than a 1 percent.
An additional reason companies have not used AOSSL is the potential site performance impact it would have due to network latency. The latency comes in by virtue of the additional complexity of the SSL and Transport Layer Security (TLS) handshake. The back and forth exchange required to establish and maintain a secure session is dependent on network performance. A poor connection, low bandwidth link, or congested hub could lead to delays that slow the overall user experience when interacting with a site. However, in most cases, the delays are minimal.
Furthermore, the performance penalty often can be managed with proper planning. For example, a heavily trafficked site using AOSSL could use higher bandwidth access lines or prioritize SSL session traffic.
Selecting the right solution
Once the decision has been made to implement AOSSL, the main priority is selecting an SSL Certificate.
SSL Certificates are used to secure communications between a website, host, or server and end users connected to that server. An SSL Certificate confirms the identity of the domain name that is operating the website, encrypts all information between the server and the visitor, and ensures the integrity of the transmitted information.
There are several general types of SSL Certificates, each offering different levels of assurance to end users. Certificate Authorities (CA) that issue the certificates typically have their own naming convention for the various certificates; however, the general classes of certificates can be categorized as follows:
- Domain validation SSL Certificates: With these certificates, the issuing CA confirms that the company has the right to use the domain name. No additional effort is made to verify company information. The only information displayed in the browser is the encryption information.
- Organization validation SSL certificates: These certificates offer a higher level of assurance to an end user. As is the case with the domain validation certificates, the CA confirms that the company has the right to use the domain name. Additionally, the CA vets the company’s identify information to be sure it is a real entity and a legitimate business. A user visiting a site secured by an organization validation SSL certificate sees encryption information and information about who operates the site.
- Extended Validation (EV) SSL Certificates: EV SSL Certificates offer an even higher level of assurance to an end user. The main difference with these certificates over organizational validation certificates is that there is much more stringent vetting of the company using the certificate. The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation. The guidelines have been developed by the CA/ Browser Forum, a voluntary organization whose members include leading CAs, software vendors, and representatives from the legal and auditing professions. A second set of guidelines, the EV Audit Guidelines, applies to the CA. The issuing CA must conform to an audit specified in the guidelines and must pass the audit each year.