SSL is great. But you can make it greater.
There is no doubt regarding the fact that SSL/TLS certificates are the foundation of today’s web security. Whether you have a blog with a few thousand followers or are in command of a multi-million-dollar website, you must protect your website with an SSL certificate or HTTPS. If you don’t, you’re likely to feel the consequences in the form of a drop in SEO rankings and Google’s ‘Not Secure’ warning that ultimately leads to a plunge in your revenues. Why are we even telling this to you this? If you’re reading this post, you obviously understand.
But as good as SSL is, it’s not a one-stop solution. That’s because SSL certificates provide authentication and facilitate encryption for data-in-transit. The last three words of that sentence are crucial. They mean that the data is encrypted when it’s transmitting back-and-forth between the client (browser) and the server. This kind of encryption is of paramount importance when it comes to securing a user’s sensitive data such as their credentials, passwords, credit card details, etc.
However, this isn’t enough. To have a comprehensive website security strategy, you need to build on it to bolster your website security.
Here are the ways you could (and should) take your website security beyond SSL/TLS certificates.
Install that Site Seal
Do you know that an SSL certificate comes with a thing called ‘site seal?’ Probably not (a pat on your back if you know this). Many website administrators are not aware of the fact that SSL certificates come with trust seals. These site seals display the name of the certificate issuing authority.
Here’s how the site seals of various CAs look:
What do these seals do apart from occupying your website’s space? Well, they do a lot! For starters, they tell your site visitors that a globally trusted third-party authority has verified your identity. Now think from a first-time buyer’s perspective. If you place this seal at the right place, it’ll mean a lot to your site visitors / potential customers. It reminds them that you’re a trusted entity that is safe to do business with. This leads to a better reputation and ultimately, gets reflected in your revenues.
How mighty is Thor without his hammer? Would Tony Stark be as deadly without his Armor? Would we have loved Chandler Bing if he had no sarcasm? You know the answers to these questions, don’t you?
Well, the same way, what’s the point of an SSL certificate is your site is still available over HTTP? No point, right? That’s why your website should always direct users to HTTPS. How to do it? HTTP Strict Transport Security (HSTS) is the answer for you.
HSTS prevents against the likes of cookie hijacking and protocol downgrade attacks. Basically, what it does is that it forces browsers to make connections over HTTPS only. You should implement HSTS and take it further by adding your website to the HSTS preload list.
Generate a CAA Record
If you have your preferred CA(s) and want only them to issue SSL certificates for you in the future, CAA (certificate authority authorization) is the thing you should be looking at. To add a CAA record, you have to generate one for your website. Once done, no other CA – except the ones you allow – will be able to issue an SSL certificate for your website. This way, you can avoid any mis-issuance from your side as well as from the CA’s side. You can use our awesome CAA Record Generator tool to generate a CAA record.
Installing an SSL certificate is one thing, implementing it the right way is another. If you’ve not applied these techniques, you’re not making the most of your SSL certificate. The above steps help you leverage your investments made in SSL certificate. Now go and put them in action!