HTTPS alone won’t save your website from hacks

shape
shape
shape
shape
shape
shape
shape
shape

Getting an SSL certificate is one of the first and important things when it comes to website security. But often, it is assumed that this alone will suffice in protecting your website. An HTTPS website does enhance a website’s security. But it will not singlehandedly keep your website out of harm’s way.

What is HTTPS?

In simple terms, HTTPS is the secure version of the HyperText Transfer Protocol (HTTP). This uses a security protocol to encrypt communications on the website. Dubbed Transport Layer Security (TLS) or its older name Secure Socket Layer (SSL), it uses an asymmetric public key infrastructure. In other words, the HTTP protocol transfers data between the browser and the web server in hypertext format. HTTPS does this through an encrypted format. The Secure Socket Layer ensures data transfer via HTTPS remains encrypted and private.

Essentially, HTTPS is an HTTP connection over SSL. The difference is that SSL creates an encrypted link through the SSL certificate (also known as a digital certificate).

Google has been taking HTTPS rather seriously during the past few years. Now if you visit a website, Google will warn you by indicating that the website isn’t secure. Furthermore, the fact that even Google is encouraging users to move to HTTPS may indicate better SEO as well.

However, it should be noted that an HTTPS connection is only part of a good web security strategy. As we mentioned earlier, it’s a naive assumption to think HTTPS alone will save your website. In fact, HTTPS isn’t foolproof either.

The Heartbleed vulnerability

Announced by security researchers in April 2014, the Heartbleed bug was a serious flaw in OpenSSL. The SSL standard includes what is called a heartbeat option. This heartbeat option sends a short message from one computer to another computer over SSL to verify that the second computer is online. If so, the first computer gets a reply. The loophole allowed attackers to use the heartbeat function to trick a computer into providing content of the server’s memory.

To clarify the severity of the issue, this allowed hackers to harvest passwords, credit card details, and other personal information. Additionally, this bug also compromised secret keys. These secret keys are what servers use to decrypt encrypted information it receives. Compromising these secret keys would mean that attackers could virtually access any information that comes through to the servers.

Of course, following the discovery of this vulnerability, organizations from around the world pledged commitment to preventing attacks of this nature from taking place. This ranged from Hewlett Foundation’s $20 million cyber initiative to almost $4 million in donations from Amazon, Microsoft, Google and Facebook to the Linux Foundation.

But this wasn’t a one-off thing. The SSL and TLS protocols have fallen victim to vulnerabilities several times over the years. Most notably, some of the older versions like SSL 3.0. The POODLE vulnerability reported in October 2014 allowed attackers to decipher encrypted content without the need for any encryption method or key. In September 2011, the BEAST attack referred to a vulnerability that enabled attackers to employ a man-in-the-middle form of attack.

HTTPS should be mandatory. But it shouldn’t be the only option

To be clear, it’s not a matter of whether your website should use HTTPS or not. By all logic and reason, your website should have an SSL certificate. HTTP websites are now marked as “not secure” by Google, while HTTPS connections are depicted by a green “secure” label. Furthermore, Google has already announced that it will take further steps with regard to HTTP content.

But conversely, the fact that HTTPS websites are marked with a green “secure” label leaves naive users thinking the website security as adequate. The point is, having HTTPS on your website isn’t some magical protect-your-website-from-everything feature. Yes, it enhances your website security. But there’s a lot more to do if your website is to be deemed truly secure.

How you can beef up your website security

Today, most companies use some form of Content Management System (CMS) like WordPress to manage a website. As such, brute force attacks are a common strategy for hackers. Why? Most users would retain default login details for backend access. It is easier for attackers to target a WordPress website if the backend login URL ends with something like “/wp-admin”. One of the simplest and most effective ways of evading these types of attacks is to change the default URLs of all administration related logins such as CMS logins and hosting account details.

Furthermore, if you do utilize various tools and systems like WordPress, enabling regular updates may go a long way. Most times, software vendors look for various vulnerabilities in systems and deploy patches if anything is found. So, sometimes it can be as simple as not forgetting to update your software.

It’s also advisable to focus security on areas where user input is taken. This usually refers to comments, “contact us” sections, forms, and other text inputs. If unprotected, hackers could easily use these to add malicious code to perform various attacks. In fact, this is one of the most common means of carrying out SQL attacks. Thereby, its important to pay attention techniques such as data validation, parameterized queries, captcha, etc. The most effective way to ensure this happens is to follow a standardized secure coding practice.

Beyond blocking brute force attacks and following secure coding practices, it’s also equally important to set up mechanisms that enable effective damage control should the worst come to the past. For the most part, this refers to backups. Full system backups on a regular basis can be a lifesaver if your website is ever compromised. Additionally, setting up different monitoring tools for your website could offer valuable insights. For example, Google Search Console warns you if it detects any page getting hacked.

But another aspect that may not receive much attention is access level controls. It’s vital to have proper access levels assigned to each user of a website. You wouldn’t want your blog writer to have the same access privileges as the website administrator. Thereby, setting up appropriate access controls will enhance the website security within the company itself.

Of course, website security covers a vast area of topics. Maintaining website security at a good level is a continuous process. But in case you’re curious about understanding more about website security, you could check out our previous post on the subject.