(9 votes, average: 5.00 out of 5)
What is encryption?
Encryption is the practice of encoding communication in such a way that only an authorized party can read it.
That’s pretty much the most simplified explanation we can give.
So why do you need it? Well, there’s really two answers to that. The first, and less satisfying answer is because it will become a minimum security requirement in 2017 and your website will begin to be penalized if you don’t have it.
The second answer, and the one we’re going to spend a little more time on is: security.
We’ll delve into both of those answers in just a minute, but let’s start at the beginning – with the first question we posed – what is encryption?
To understand what encryption is you have to back up a little bit to the way the internet is constructed in general. The internet is built on HTTP, Hypertext Transfer Protocol. When you visit a website, what’s really happening is your browser is making a connection with a web server. The two exchange bits of information, and the browser takes that information and constructs a visualized website. This is done via HTTP.
The problem with HTTP is it’s not secure, which means that anyone who knows what they’re doing can essentially see – for lack of a better term – all the communication between your computer and the server. That means that any information that is exchanged can be intercepted and either stolen or manipulated by a third party.
Encryption prevents that from happening by securing your connection via the SSL/TLS protocol. When encryption is active, it basically scrambles the communication between your computer and the server so that only the other party can unscramble it and read it. To any third party that’s listening in on the connection, the communication is complete unintelligible.
So how does SSL work? Well, it starts when you purchase an SSL Certificate and install it on your web server. If you don’t have SSL, you don’t have encryption. Once the certificate is installed, the server needs to be configured so that the correct pages are served over HTTPS, which is the secure version of HTTP.
A quick aside, many people mistakenly think you only need to configure the pages that collect personal information to be served over HTTPS. While that’s certainly a method that has existed for a while, it actually makes more sense just to configure the entire site to be served over HTTPS at this point.
Now, when a user visits a site with SSL installed and properly configured, the user’s web browser is going to see that the site has SSL and begin a verification process known as the SSL handshake. We won’t get too granular here, but there are a few noteworthy things about the SSL handshake.
Namely the speed with which it occurs. A browser will download the SSL Certificate, check its validity, ensure that the server is the rightful owner of the Certificate’s public key, use that public key to encrypt a small bit of communication, wait for the server to use its private key to decrypt the information and send it back, and then finally negotiate the terms of an encrypted connection with the server—all in just a matter of milliseconds!
That’s one hell of a technological feat.
Once the server and the browser have negotiated an encrypted connection they create and exchange symmetric session keys. The two parties can now encrypt and decrypt the communication they exchange without fear of a third party being able to look at it. At the point the session ends, the keys are discarded. New session keys will be exchanged at the start of a new session.
This is the shorthand explanation of how SSL encryption works.
Now, it should be pretty obvious why you need encryption if you’ve been following along up until this point. The internet is a dangerous place – as unfortunate as it is to have to say that – there are hackers and cybercriminals looking to take advantage of people at every turn.
If you’re running a website that is collecting personal information, financial information, even login information and passwords—you need to keep that information safe for your users. As we mentioned, the default communication protocol, HTTP, is not secure. Anyone who knows how can readily see all the communication taking place across an HTTP connection.
That alone should be enough to convince you.
But if it’s not, here’s a couple of other things to consider. First of all, if you’re running a business you may think that only the biggest companies have to worry about cybercrime. That’s absolutely false. According to Symantec, 74% of small and medium-sized businesses have been targeted by a cyber-attack in just the last 12 months. And even more terrifying, 60% of the small businesses that fall victim to a cyber-attack go out of business within six months.
Security is important.
Second of all, even if you’re not a business or you’re not collecting what you consider to be vital information from visitors—if your users can login you absolutely need encryption. It doesn’t matter if you’re not selling anything, if users can login—you have to encrypt. The internet is fairly unique in that users can only do so much to protect themselves, a lot of the onus for protecting people falls on the websites they visit. You definitely don’t want to gain a reputation as a site that doesn’t protect its visitors. And beyond that, people’s password hygiene, in general, is atrocious. Meaning, people reuse that same passwords across multiple accounts and seldom change them. A breach on your site might seem innocuous, but if cybercriminals can use those stolen passwords to access other, more important accounts—your users are going to blame you.
And finally, even if nobody is logging in on your website—you still are. That’s right, your website likely has a back-end login. How else are you updating it? Shouldn’t that login be secure? If that information gets compromised so does your site. Can you really afford that?
Even if nothing we’ve said in the past 1,000 words has convinced you, this will: SSL is about to become mandatory. No, Google isn’t going to break into your house and put a gun to your head or anything. But then, Google doesn’t have to. It will just put you out of business.
We’re not kidding.
Over the past couple of years, the browser community – Google, Mozilla, Microsoft, Apple – has been politely suggesting encryption. Now it’s done being polite. In 2017, SSL becomes a requirement.
You see, the browsers are in a unique position to influence the internet. You can’t access the web without a browser, can you? And it goes well beyond that. Browsers can tell users that sites are dangerous. They can block sites entirely. Many browsers are owned by companies that also own search engines and we don’t need to tell you how influential SEO and search rankings are, do we?
Well, the browsers are acutely aware of their positioning in the market and they are more than happy to leverage that position to affect change across the internet. That’s what they’re doing here.
Already Google has been giving an SEO boost to sites with encryption. Right now that boost is worth about 5%, but it can go up at any moment. The browsers have also decided to withhold premium features from unencrypted websites. And then newer advances like the faster, safer HTTP/2 protocol are only for sites with SSL too.
But those are subtle compared to what’s about to happen. In fact, it’s already begun. There are visual indicators that appear in the address bar of every browser. Right now unencrypted sites get neutral indicators while encrypted sites get positives ones. But soon, unencrypted sites will begin getting negative indicators, and the words “not secure” will appear next to their URL.
After that, the browsers will begin issuing warnings to users before visiting unencrypted sites. And that’s where the real pain will begin. Because the majority of internet users will not continue to a site when prompted with a warning about it not being safe.
That’s going to have a huge impact on any site—especially business sites.
Even if you don’t feel like you need encryption for security, you now need it just to stay competitive. Hey, don’t blame us—blame the browsers for trying to make the internet a safer place. The nerve.
So there you have it. Encryption is a practice wherein information is encoded in such a way that only an authorized party can read it. It’s really an integral part of any web security strategy. And now, it’s also a basic requirement on the internet.