How to Secure Your Website Part I: Communication
Security is about risk management. Online, security is about reducing the risk of exposing information to the general Internet.
Consider the two actions occurring on any device connected to the Internet:
Communication is the heart of the Internet. The standard Internet protocol suite, known as TCP/IP (Transmission Control Protocol and Internet Protocol), is the basis for a collection of additional protocols designed to interconnect computer systems across the world in different ways. For example:
- Domain Name – DNS (Domain Names System)
- Email – SMTP (Simple Mail Transfer Protocol)
- Web – HTTP (Hypertext Transfer Protocol)
Unfortunately, in the initial designs of the Internet, preventing unauthorized access to data while in transit and the verification of the communicating parties were not primary concerns. As a result, many of the protocols that use TCP/IP do not incorporate encryption or other security mechanisms by default.
The consequence is that anyone can “listen in” (not just the NSA) as data is transmitted across the Internet. That is, none of the protocols in the sample list employ any kind of encoding that restricts access to the data as it travels from one system to another.
HTTP – the protocol of the web – does, however, have a solution to this problem. SSL (Secure Sockets Layer) establishes a process to incorporate cryptographic methods that identify the parties in communication and establish a secure method of data transmission over the web (HTTPS).
Note: Today SSL’s successor is TLS (Transport Layer Security), but it is still commonly referred to as SSL (or more accurately SSL/TLS).
Since the initial phase of establishing a SSL/TLS connection incorporates intense mathematical calculations, implementation in the past had been limited to specific webpages (an e-commerce site’s checkout page, for example). However, today the trend is to implement as broadly as possible.
- Popular sites, such as Google or Facebook, will conduct all communication over HTTPS by default by redirecting the initial HTTP request to HTTPS.
- Popular web browsers will attempt to connect to a website via HTTPS first by rewriting the initial HTTP request to HTTPS before attempting a connection.
Does your website need SSL/TLS? That’s a risk assessment you need to make with your web developer and hosting provider. But consider:
- The trend is to secure more data in transit, not less.
- Your website’s visitors are not just concerned about sensitive information that they are actively providing (credit card information, for example), but other information they are actively and passively providing, such as what webpage they are viewing.
Our next security post will cover the second topic: data storage. In the meantime, have a question about security and the web? Post your question in the comments section below.