Is someone eavesdropping on your customers using your website?

DATA privacy is increasingly becoming a concern not just for businesses but also consumers.

Especially with the implementation of GDPR, companies must have measures to safeguard any data that is collected by any website that they operate.

Failing which, businesses risk jeopardizing their reputation and losing customers, not to mention getting slapped with hefty fines by regulators.

To safeguard this data, most websites run a Secure Sockets Layer (SSL) to establish an encrypted link between a web server and a browser. While not every company needs SSL certificates, any company that collects data from their website will need one.

For example, an e-commerce site that collects delivery and payment details, banks and medical organizations that handles highly sensitive information, or a content website that collects data for analysis, need SSL to ensure data integrity and privacy.

An encrypted connection is typically indicated by “https” and a padlock icon in the URL of a browser. Any data that passes through this link will remain private and untampered, as opposed to an “HTTP” connection that can be intercepted by a third party to collect or modify data.

On a side note, SSL is actually a previous iteration of the security protocol and is currently replaced by Transport Layer Security (TLS). However, it is still most commonly referred to as SSL; for the purpose of this article, we will refer to them as SSL to avoid confusion.

However, not all SSL certificates are trusted by web browsers. In the latest release, both Chrome and Firefox have decided to distrust certificates issued by Symantec CA after it was revealed that there were multiple incidents of mis-issued certificates at the security company.

Since then, Symantec has moved its certificates business to DigiCert. Any certificates issued under Symantec, Thawte, GeoTrust, or RapidSSL before 1 December 2017 must be reissued. Failing which, users will be blocked from accessing websites without a trusted SSL.

This means companies must look at getting their existing certificates replaced as soon as possible, or risk losing customers.

How do I know which cert I need?

Depending on your business size and function, as well as business growth, companies must evaluate and choose the type of certificate that suits their needs. Certificates are issued by a Certificate Authority (CA).

There are plenty of free SSLs available in the market today. For many personal sites or micro businesses, free options like Let’s Encrypt are easy to acquire, easy to install, and provides industry-standard encryption. Both Google and AWS also offer free SSLs to businesses hosted on their platforms.

Although, free certs tend to expire pretty quickly – in the case of Let’s Encrypt it’s 90 days – and comes with limited options. Paid CAs provide better scalability and support for businesses.

Typically, there are three types of certificates available – Domain Validation (DV), which can be used by anyone; Organization Validation (OV), which requires some basic background check on the company; and Extended Validation (EV), where CAs perform rigorous authentication on a particular business. You can recognize EVs as it displays your business name in the address bar.

Beyond that, companies can also choose to encrypt only a single domain or multiple domains.

While it may be tough to figure out which certs you’d need, it is imperative that businesses speak with an SSL provider to determine what is the right fit for their needs.

Businesses today are collecting all sorts of data to improve operations and provide better customer services. Ensuring that the data is valid, and securely held, is key to making the right business decisions.

Without SSL, not only are your customers’ data are at risk, business operations can be compromised as well.

---

---

---