SSL Encryption Everywhere
We live in a digital world where almost all communication is done electronically. And more and more, users of “this internet thing” are becoming very educated. Education in this case means 2 things:
- They ask for more sophisticated ways to communicate (sharing via cloud file storage, i.e. Google Drive, Dropbox, and several others).
- They are becoming more aware of how to abuse or manipulate (for curiosity or malice – ”hacking“) communication.
The two feed each other beautifully which both pushes advancements in technology and makes it more and more unsafe to use casually. However this article will focus mostly on the latter: abusing or manipulating communication.
Consider the everyday task of someone logging into a non-encrypted (insecure) web site – those are the ones that start with http:// and not https:// – you can simply eavesdrop on them. It takes seconds using basic, free, and widely known “network sniffing” tools such as Wireshark. Not only can you see very personal and even confidential information you can also grab a their usernames and passwords. The screenshot on the left is a typical HTTP user login.
Now take this one step further. Think about how many usernames and passwords you re-use. Most internet users use the same username (typically their email address) and password over and over again. If you fall into that category, one leaked username and password could mean the death of your digital identity – email, social networks, online stores, credit cards, and banking.
Needless to say, most internet users have no privacy because of this. And if you’ve ever had your Yahoo! email address hacked, you can safely assume that this is how they did it. After all, prior to January 2013 all Yahoo! Mail traffic was insecure. Not only is your online account and user identity at stake, but so is all the content you send and receive on the net.
Web browsing (HTTP) isn’t the only target; although it’s probably the biggest. Other very common network protocols such as FTP and Telnet are well known to be insecure. The screenshot on the right is a typical FTP user login. For those who are not familiar with FTP, it’s a very well known service for transferring files between workstations and servers.
Obviously, all this goes to show how easily a user’s online account can easily be stolen or at the very least communication intercepted.
The solution, obviously, is to use secure communication. In the case of web browsing, this means upgrading your http:// to https:// by encrypting all communication with the phenomenal crypto technology, SSL (Secure Sockets Layer). SSL secures your connection and protects your privacy using very strong encryption that is guaranteed by an SSL certificate. The certificate is a unique cryptographic file generated for you by a known and trust source – a “certificate authority” or CA – and installed on your servers. The certificate is not only used as a key to encrypt and decrypt all communication, but it’s also used to prove the identities of both parties communicating (the sending and receiving parties) hence stopping common interception techniques such as MITM (Man in the Middle) attacks. Lastly, a certificate also warranties you and your users with actual green cash in case the CA delivers a bad certificate.
If you’re hosting web services of any kind, this is the time to consult with your IT guys or your hosting company to purchase an SSL certificate. A certificate today can range anywhere from $9/year to $1500+/year depending on how many domains and subdomains it can be applied to, how strongly it proves your identity to users, and the level of warranty you want. As for me, I’m heading over to Namecheap to get myself a Wildcard SSL certificate.