In 2022, North America registered an increase in cyber attacks — 52% more compared to 2021. If you think your website doesn’t need TLS security encryption, think again. We’ll explore 8 reasons why every website should encrypt all data in transit, no matter the size or purpose.
Did you know that 69.7% of websites analyzed by Qualys still support deprecated, insecure protocols (e.g., SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1)? Yup. And, believe it or not, from what I have just experienced (more details in the article), it’s not only dodgy websites but also reputable ones taking this approach. Considering cybercriminals take an average of 84 minutes to break into a system successfully, imagine how much faster they’ll be to get into those poorly protected websites.
Are you among those people thinking that as your site doesn’t link to any sensitive data, you don’t need TLS security, as some Canadian election agencies thought in 2018? Let’s explore eight compelling reasons that might make you reconsider your position and reevaluate the power of TLS security. Are you up to the challenge? You may learn something new.
8 Reasons Why You Should Implement TLS Security on Your Website
A few days ago, as I needed to check some information, I visited the official website of an Italian council. To my great surprise, as soon as I clicked on the link, the browser warned me that the site wasn’t secure.
At first, I thought it was a mistake. Turin is a big city; it’s the place where FIAT cars were born, after all! Surely, city council websites should offer the highest level of security… right? I double-checked the URL to make sure it was correct. To my disappointment, it was. Still unconvinced, I tried opening it with my default browser, Firefox, to make the final test of website security.
On Firefox, I have hypertext transfer protocol secure (HTTPS) only enabled. This means that every time I go to a website, the connection is forced to use transport layer security (TLS) on top of HTTP to secure the connection by encrypting it. (Translation: This method ensures websites will only load via secure HTTPS connections; otherwise, they’ll display a warning message to let me know to avoid it.)
As Turin’s council website URL was http://comune.torino.it, Firefox should have automatically upgraded it to https://comune.torino.it. However, it can do this if, and only if, the council had the TLS protocol implemented on its website.
What do you think happened? Yup, as I feared, I got the following disturbing error message as soon as I opened the URL:
But the worst still had to come. As it was a council site, the next question I asked myself was: are there any forms citizens could fill in with sensitive information to request online services? In less than two minutes, I had the answer to my question (and it wasn’t the one I was hoping for):
At first, I couldn’t believe what I was seeing. Then I checked other pages and I found other online forms requesting sensitive information. All on insecure pages, where the citizens would have to enter and submit their sensitive data like birth date, full address, phone number that’ll then be transmitted as plain text.
This means that all those pages were at risk of man-in-the-middle attacks. Yup. As the data entered in the form are submitted as plain text through an insecure connection, intercepting and stealing them is easy for bad guys (more on that in a minute).
Intrigued, I kept on investigating. Now that TLS is considered a key element of every cybersecurity strategy, was there a possibility that other official council sites had the same security issue in 2023? In a country where:
- The Italian data protection authority has just temporarily banned ChatGPT because of security and privacy concerns, and
- A few months ago, the National Agency for Insurance Against Occupational Accidents (INAIL) was slapped with an EU General Data Protection Regulation (GDPR) fine of €50,000?
Probably not, I said to myself. It must have been an isolated case… right? But as I’m a bit like Saint Thomas, who needed to see and touch to believe, I looked at some other random Italian council websites. That’s when I realized that several of them — for example, the website for the cities of Orvieto (http://www.comune.orvieto.tr.it/) and Cattolica (http://www.cattolica.net/retecivica-citta-di-cattolica/), just to name a couple — still didn’t have TLS security implemented.
OK, they probably all deserve a place on Twitter’s wall of shame for insecure sites and apps. But why is TLS security so important for a website? “I got eight good reasons,” as Sinéad O’Connor sang in 2014. Let’s check them out one by one.
1. TLS Lets You Prove That You’re Really the Owner of Your Website
How can your customers know when they’re visiting your website, that they are really browsing the original one, and not a phony website posing as yours? If you implement TLS security, your web server will send a TLS digital certificate, also called an SSL certificate, and its public key to the client to prove its identity.
Only after the identity is validated and the secure communication is established can a customer access to your website. The customer will also be able to verify your identity by simply:
- Clicking on the padlock icon in the browser’s address bar,
- Selecting Connection Secure, which will enable the following window to display:
- Clicking on More Information at the bottom of this same window, which will display a wealth of information about PayPal and the cryptographic methods used to secure the connection (as shown below).
- Hitting the button View certificate in the security tab of the Page Info pop-up window we just discussed, which will bring up a new window (as shown below):
Et voila’. Customers can view all information relating to your organization (which is included in your TLS certificate) for their security and peace of mind. The process may vary slightly depending on the browser your customers are using but, as you can see, it isn’t rocket science.
What happens, though, if your website doesn’t have TLS security implemented via an SSL/TLS certificate? Can a customer still verify your identity? Nope. As there isn’t a certificate available, when your customers click on the padlock icon (which will be crossed out by a red bar in Firefox), they’ll be informed that the connection isn’t secure. And even if your customer checks the security tab on the pop-up window, they’ll notice that:
- They won’t find any information about the website owner,
- The verified by section is empty (how can you verify something you don’t have?),
- There is no View Certificate button to click on, and
- Under Technical Details, it clearly says that the connection isn’t encrypted; thus, all information transmitted can be viewed by anyone.
TLS can protect your customers from malicious redirections to phony websites posing as yours, which is what recently happened to several sites hosted by GoDaddy. At the same time, it’ll also reassure them that, when they enter sensitive information on your website (i.e., credit card details, addresses, etc.), they’re dealing with you and nobody else. Isn’t this already a great reason to implement it?
2. TLS Security Protects Your Data in Transit From Snooping and Theft
Is your website hosted in the cloud? Even as cloud technology continues gaining traction, and 78% of organizations interviewed by PwC have already migrated part of most of their business to the cloud, it doesn’t mean that your website is secure. In fact, 38% of businesses answering PwC’s 2023 Global Digital Trust Insights survey, are forecasting a higher number of serious attacks targeting user data via the cloud in 2023.
One of the major flaws of the insecure HTTP protocol is that all the information exchanged between the client and the website can be read (and stolen) by anyone. It’s a bit like writing your online banking username and password on a postcard and sending it to your friend in the mail. Every person handling that postcard on its trip from the post office to your friend’s mailbox — everyone from the post office clerk to the postman delivering it — will be able to read it (and use it to steal your money).
That’s why websites without TLS security enabled are subject to man-in-the-middle (MITM) attacks. An attacker places himself between the client (e.g., your customer typing his username and password on your website’s login page) and your web server so that he can intercept and steal the data transmitted in plain text. It’s easy peasy.
On the other hand, when TLS is implemented, hackers’ lives get much harder. Why? Because all data exchanged between the parties is encrypted. Therefore, even if the cybercriminal manages to intercept the data, all they’ll see is gibberish nonsense that they’ll be unable to decrypt without the recipient’s private key.
Lastly, enabling TLS security on your website also ensures that no cybercriminal can see what your customers view on your website. This is particularly important for health-related websites, for example. None of your customers would be happy to know that anyone could see they were looking for information about an embarrassing health condition. Am I starting to capture your attention now?
3. TLS Security Improves Customers’ Trust and Increases Conversions
Do you know what’s the most fragile asset you have? Trust. It’s easy to break or lose, but it’s very hard to repair. This was confirmed by the latest McKinsey global survey on digital trust: 40% of respondents confirmed that they stopped buying from companies that were unable to protect customers’ sensitive data properly.
The same report shows that 53% of consumers make their purchases from a company only after having checked that the organization is trustworthy and actively protects customers’ data. No TLS? No party. And that’s understandable. Would you really enter your credit card details on a site flagged by your browser as being insecure? Absolutely not!
I remember reading a Forbes article once that described a customer as a tiny bundle of future cash flow with a memory of an elephant. I think this description is spot on. And, as highlighted by many scientific studies, bad memories stick better than good ones, so experiencing a data breach can mean losing them forever.
So, what’s the best option to increase the level of trust your customers have in your organization, and ensure those “tiny bundles of cash” keep on flowing in your direction? Stop using HTTP and invest in TLS security.
4. Transport Layer Security Minimizes the Risk of Fraud
2.4 million. Nope, it isn’t the latest lottery jackpot — it’s the total number of fraud reports received by the U.S. Federal Trade Commission (FTC) in 2022. This resulted in total losses of $8.8 billion in that year, and online shopping was the second most common fraud category reported.
Want to keep your organization and website off the list? Once again, implementing TLS security is one of your best shots to secure your online presence, business, and customers against fraud. Let’s discover how.
When a customer enters their payment details into your website, a cybercriminal might intercept that data and use it to purchase services or products from your website. By the time the legit credit card owner notices the fraudulent purchases, you may have already delivered the goods or the service. Boom! Who is the biggest loser? You, as you haven’t only lost a product or a service, you’ll also have to:
- Refund the customer,
- Pay any chargeback fee(s) (i.e., the fee[s] charged by the bank for each disputed payment) requested by the credit card merchant, and
- Deal with any other consequences, like legal action or regulations violations.
This takes us straight to the next point…
5. Enabling Secure Data Transmissions Helps You Comply With Industry Standards & Privacy Regulations
I get it, meeting all these standards and regulations isn’t a walk in the park, particularly for small and medium businesses. The good news is that TLS security is here to help. By implementing it, you’ll fill two needs with one deed:
- You’ll be a step closer to reaching industry standards and privacy regulation compliance. Securing the data transmitted between the client and the server through encryption is one of the key requirements of multiple industry and regional regulations related to data protection.
- You’ll protect your organization and customers from data breaches. By keeping your data secure, you’ll enhance the level of security of our website minimizing the risks of what could become a devastating security incident.
Do you think that this doesn’t apply to you because your website is too small? I wouldn’t be so sure. OK, you may not have to comply with the latest Payment Card Industry Data Security Standard (PCI DSS) because you aren’t handling or storing customers’ payment data. However, if you handle the data of persons physically located in the European Union (e.g., you have a contact form on your website, or if users can add their comments or log in to your site), you’ll have at least to comply with the EU’s General Data Protection Regulation (GDPR). And what will you find among the requirements? Data encryption, which the TLS protocol and SSL/TLS certificates provide.
Is your website accepting online payments, or are you handling payment data? TLS can save you big bucks. In 2017,Equifax suffered a data breach of epic proportions that cost the credit reporting agency more than $1.78 billion between clean-up costs, fines, legal fees, and compensations.
Do you deal with health information? You should be even more motivated to implement TLS security. Why? In the updated Health Insurance Portability and Accountability Act (HIPAA) that may take effect in 2023, cybersecurity best practices are becoming a fundamental factor for compliance. They also may even save you a few bucks.
In fact, organizations that can prove having implemented security practices will benefit from:
- Shorter audits, and
- Reduced penalties in case of a data breach.
I guess now it’s easier to understand why TLS security can be such a key asset for any organization.
Security is king. That’s also why the White House Office of Management and Budget Memorandum M-15-13, published in 2015, required all U.S. federal websites and services publicly accessible to use HTTPS only (and therefore TLS) by end of 2016.
6. TLS Adds a Layer of Security to Prevent Malicious Data Modifications
Do you remember when in point one we talked about TLS protecting your customers from being redirected to malicious websites? That’s phishing by exploiting MitM in-transit data interceptions. And these kind of attacks are growing exponentially.
- A whitepaper from Interisle Consulting Group shows a whopping 61% increase in phishing attacks between May 2021 and April 2022, compared to the same period in the previous year.
- SlashNext identified more than 255 million phishing attacks in only six months.
TLS helps to protect you from other types of attacks aiming to modify the in-transit data exchanged between the client and the server for fraudulent activities. For example:
The attacker intercepts the communication between the client and the DNS server. Posing as the DNS server, they provide phony DNS entries. The user is then redirected to a replica of the original website where the attacker has injected malicious code. When the user enters their credentials into the login form containing the malicious code, the cybercriminal gets them, as demonstrated in the three-minute video below.
See how easy it is to exploit DNS spoofing to steal your customer’s sensitive data, and how difficult it is for a user to detect the whole scam? In this video, usernames and passwords were stolen but, it could happen the same to credit card details for example.
As a matter of fact, according to Sucuri’s 2022 Threat report, 90% of credit card skimmers they identified (malicious software that reads credit card details while the customer is typing or replaces a legit form with a phony one) were hidden in malicious PHP codes (i.e., code injection); thus, making them highly difficult to detect.
An attacker may downgrade an HTTPS connection to the less secure HTTP once they’ve intercepted the conversation. This leaves your data in transit vulnerable to interception and poisoning attacks. This type of man-in-the-middle attack is called SSL stripping.
The HTTP site could then be “poisoned” by the attacker with malware that’ll be automatically downloaded and installed on the customer’s device as soon as he visits the page without him even noticing it. The consequences? Have you ever heard of cryptojacking? It’s malicious software that, once downloaded, dramatically slows down the victim’s computer while enabling the attacker to mine cryptocurrencies to add to his pocket.
Did you know that attackers can pose as your customers and, for example, make purchases on your websites or transfer funds without the need of stealing customer credentials and information? Yup, that’s session hijacking, which is another type of MITM attack.
How does it work? When the customer logs in to your website, a session between the client and the web server starts. The server, after validating the login credentials, assigns a unique session ID to the customer that’ll last for the whole session. This way, the server knows that it’s talking to the customer logged in and not to somebody else.
However, if your website is using HTTP only, that session ID will be transmitted as plain text. What do you think an attacker will do? Yup: they’ll steal the session ID, pose as the logged-in customer, make a big order on your website, and leave your customer to foot the bill. The result? The customer will probably refuse to pay, and you’ll end up without money and goods.
Is then going to be enough to implement HTTPS just on your website’s login page? Not really. In fact, once the customer authenticates via an HTTPS page, when they navigate to other HTTP only pages on your website, their session ID becomes visible again. Thus, the bad guys can easily steal it and use the stolen session ID to log in.
Want to see a live example of session hijacking? Check out this entertaining short video by Scott Helme:
7. Transport Layer Security Protects Your Brand and Reputation
Did you know that 84% of consumers interviewed by DigiCert would consider switching vendors if they lost trust in the brand due to a security incident? Furthermore, 79% of customers surveyed by PwC consider data protection the top factor that’ll build their trust in an organization. TLS security anyone? Protect your assets from cybersecurity threats, and you’ll protect and increase the trust in your brand and reputation as well.
Want to make sure your customers know how much you care about their security, and that you offer them only the best level of protection available on the market (i.e., TLS security)?
Make your brand and reputation shine with a site seal associated with your TLS certificate. Issued by the certificate authority (CA), once added to your home page or checkout page, it’ll confirm to your clients that your website is secure and legitimate.
Not all TLS/SSL certificates come with a site seal. However, if you can get one, it’ll help prove to customers and site visitors that your website is as secure as other trusted major brands’ sites.
Do you think it won’t make any difference? Well, I’d pause for a moment and think about it before taking this off of your list. According to Baymard Institute’s 2022 research, 18% of interviewed consumers said they abandoned purchases before proceeding to checkout because they didn’t trust the site with their credit card information.
8. TLS Security Helps Boost Your Google Rankings
How good is your website’s Google ranking? Want to improve it? The magic of TLS can help you with that, too. In 2014, Google started testing using a secure, encrypted connection (HTTP over TLS [HTTPS]) as a new signal for their search algorithm. A few months later, the secure connection was officially included in the algorithm.
I know, Google’s search algorithms are very complex and influenced by a myriad of factors. However, 2019 research confirms that websites with TLS implemented will achieve a higher ranking compared to those still relying solely on HTTP.
Furthermore, if your site is also mobile friendly, implementing TLS security also gives you a little help climbing the ladder of Google rankings. Have you ever heard of Google accelerated mobile pages (AMP)? It’s a web component framework that’ll help you speed up web page loading times on mobile devices. And speed is another powerful ranking factor. But there’s a catch: Google AMP works only with websites using TLS security and a specific extension. Another good reason to implement it!
Final Thoughts on 8 Reasons You Need to Implement TLS Security on Your Website
So, there you have it. What do you think? Are these 8 reasons good enough to win you over and implement TLS security on your website? All websites, including blogs and static pages, need to have a decent level of security to protect them against cybercriminals. However, defending your reputation, brand, and your customer data doesn’t have to cost a fortune.
Investing in a TLS certificate, even the most basic one, can help you minimize the risks of cyber attacks that, if successful, may cost you a considerable amount of headaches, time, and resources (including money).
It’s time to take a leap into the 21st century and implement TLS. Ensure that the website you built with a lot of care and effort supports TLS version 1.2 as a minimum requirement. Want to make your website even more secure? Then you should also enable the support for the most recent version of TLS, TLS 1.3. The choice is yours, as long as you choose HTTPS.