A battle is brewing in the land of online security and it has the potential to catch your website in its fury. The good news is that there’s still time to get clear of its path and we’ll share a few resources to help if its headed your way. Read on to find out what you can do, but first, let’s get a little backstory on where this all started, define some terms, and finally share some resources for making sure you go unscathed.
The SSL Brawl – A Very Brief History
In the middle of January, 2017 a high-profile security newsgroup brought to light a series of potentially problematic website authentication certificates (SSL Certificates) issued by Symantec Corporation’s public key infrastructure (PKI). Soon after the finding, Google’s Chrome team and the broader PKI community developed a plan to mitigate the risk to consumers using the Chrome browser through ramping down trust in Symantec’s infrastructure. Once the plan was finalized and circulated late 2017, Symantec announced that competitor DigiCert would purchase and overhaul the website security portion of their business. That leads us up to today.
SSL Certificates 101
So, what exactly is a Secure Socket Layer (SSL) Certificate and why should you care? Let’s go with a classroom analogy to describe what it is. Picture yourself back in the classroom where you (your computer) and your best friend Maurice (a remote web server) are separated by an entire column of your classmates (roughly the internet), and you’re desperate to share the joke (a packet of information) you learned over the summer with him. In this model, passing a note to Maurice via your classmates is the equivalent of your computer communicating with the remote web server via the internet. Grossly over-simplified but accurate enough. Anyhow, it’s at this point where security comes into play.
Picture your note sailing along, passing through the hands of your classmates without a hitch until it reaches Karl (hacker, potentially). As it turns out, Karl’s a snoopy little guy and suddenly decides he wants to see what you two are chuckling over. In a flash he intercepts the note, reads its contents, quickly but carefully folds it back up, and passes it along, no one being the wiser to what just happened. Now, because the contents of this particular note were less than serious, the consequences of it falling into the wrong hands are minimal. However, run this same scenario where the note contains a locker combination or some similar bit of sensitive information, and the breach of trust becomes a real issue. How do you ensure that Karl can’t read the note even if he gets the chance? One way is for you and Maurice invest in a pair of decoder rings, and start writing messages that only those rings would unscramble. And what do you suppose are the internet’s decoder rings? You got it…SSL Certificates!
Okay, the flashback is over, let’s move on to why you should care. If you’re an online shop owner or run a website that asks users for sensitive information, you either have an SSL Certificate or you need stop reading this, apply for one and install it. With security concerns on the rise and people becoming more aware of their online identities, there’s really no room for middle ground any longer. Need more motivation? Sites beginning with HTTPS are prioritized over those without the “S” thus will load faster, and since 2014 Google has given secure sites a pagerank boost and will very soon start warning users if ANY site they’re visiting is not secure. On its face this last tactic feels somewhat heavy-handed, but just imagine your site being the weak link in a transaction that leads to someone’s credit card or identity being stolen…these are the very real stakes at hand.
Will My Site Be Affected?
Now let’s talk about what you can do to keep your site secure and your visitors safe. First, the good news. If you purchased an SSL Certificate through your web hosting company and if that company is one of the bigger names in the space, there’s a very good chance of one of the following:
- Your SSL Certificate is not affected and will continue be trusted by Chrome
- Your website hosting company is aware of the issue and is working to correct it
Another bit of good news is that if you’re using one of the all-in-one e-commerce platforms like Shopify or SquareSpace (among others), rest assured they have a vested interest in keeping things like SSL Certificates up to date and compliant. And in case you’re wondering, we checked and the two services mentioned are unaffected by this dust-up. You can sleep well!
Now for the not-as-good news. If you have a certificate issued by one of the following authorities you will need to make a change before April or October depending on whether the current one was issued before or after June 1, 2016 (respectively):
- AlphaSSL
- GeoTrust
- GlobalSign
- Norton
- RapidSSL
- Symantec
- Thawte
- Trustcenter
- VeriSign
If you’re unsure when your certificate was issued or by which authority, watch this quick video to find out.
If after all of this you’re concerned that your website might be affected by the coming change, I recommend contacting your hosting company. Most will be more than happy to look into the matter for you and even walk you though the technical aspects of updating or changing certificates. Stay safe out there!
