For those still holding out for a better alternative to SSL, it’s time to give up the ghost. Though implementations like OpenSSL have seen many a vulnerability as of late, the protocol remains the best ubiquitous technology we have for end-to-end encryption. And with Google’s announcement last year regarding SSL’s impact on a website’s search rankings, the question stands: why are so many organizations still holding out on implementing SSL site-wide?
The short answer: they apparently didn't get the memo. The historical reasoning behind firms not implementing SSL by default has mostly been performance-related, but these days lack of computing power is hardly a concern. In fact, Google estimates that SSL encryption only increases its server loads by 1%. And with aggressive initiatives by companies like Mozilla to deprecate non-secure HTTP (read: future versions of Firefox will not support non-SSL sites), the days of non-encrypted web surfing are surely coming to an end.
As a foundational component for a strong security posture, SSL should be everywhere and turned on by default, encrypting all communications to and from a website. And though the new SEO benefits of SSL per Google should indeed be a concern, a far more important issue at hand for organizations is securing their websites and visitors against today’s cyber threats—even if only to preserve privacy measures.
And who better to take up arms in the battle for privacy than Google? At Google I/O last year, the behemoth made its case for “HTTPS Everywhere.” The following is the video from its presentation that highlights the critical reasons for instituting SSL by default.
So along with privacy, HTTPS preserves data integrity and protects users and website owners against passive and active hackers. Additional measures, like obscuring server headers, can further protect against automated efforts by malicious actors. Many organizations have already moved towards this model of always-on encryption, but surprisingly—many prominent companies have yet to implement SSL site-wide. This includes many of the Fortune 500’s and a number of prominent technology companies.
Unfortunately, many security vendors are failing to provide this foundational component of security to website visitors—which of course is disconcerting given their line of business. So while companies like Symantec, Tripwire, and Trend Micro continue to use non-encrypted websites, vendors like FireEye, Tanium, and Palo Alto Networks have already taken the necessary leaps. By adopting HTTPS everywhere, organizations—especially security companies—can effectively demonstrate competence in fulfilling the basic requirements for strong security.