printer friendly version

Effective website security

Websites have been using SSL technology for years to ensure their security, and the certificates and their uses are well understood. SSL that only protects users at login, however, leaves them vulnerable when they’re spending time on your website.

“SSL,” says LAWtrust Certificate service manager Megan Rehbock, “is like a safety belt for secure websites and it should always be on across your entire website to protect your users with persistent security from login to logout – be it via Web browser, mobile device, e-mail client or other Internet applications.”

Always-on SSL is an essential and cost effective measure that provides end-to-end protection for website visitors from start to finish, making it safer to work, socialise and shop online, she says. Always-on SSL encrypts all information shared between a user and machine, including all pages and cookies. It is not a product, service or replacement for your existing SSL certificate but rather an approach to security that recognises the need to protect the entire user session, and not just the login screen or home page.

Persistent HTTPS throughout your site and Always on SSL is not difficult to implement. Here are a few tips:

* Scan for and replace all instances of 'HTTP' with 'HTTPS' on your website.

* Remove mixed content – make sure to ensure all content displayed on your website originates from HTTPS links. HTTP references could compromise the security of your site.

* Only allow HTTPS connections to your secure website.

* Set your cookie flags to 'secure'.

* Enhance security and trust with Extended Validation SSL Certificates.

* Never use self-signed SSL certificates, only use certificates issued by a trusted certificate authority (CA).

* Disable null ciphers, short bit lengths and SSL version 2.

* Make sure that your CA signs and issues your certificate using SHA-2 hashing algorithms.

Vulnerabilities such as session hijacking, side-jacking, and man-in-the-middle attacks are some of the risks you expose users to if you do not implement always-on SSL. Implementing always-on SSL will help give users the assurance that you take their security and privacy seriously, and that you are taking reasonable steps to protect their identities and private information.

Share this article:

Further reading: