In this article, we'll go over what you need to know about the upcoming SSL requirement so that you can be sure your website is fully protected against threats.

HTTPS, SSL, and TLS

If you're using HTTPS, that means you're relying on encryption to transmit data between your server and a web client. That encryption is specified by a protocol called SSL (Secure Sockets Layer) or TLS (Transport Security Layer).

For the purposes of this article, it's safe to say that SSL and TLS are the same. Although there are some technical differences, you can use the two acronyms interchangeably.

SSL was developed in the 1990s by Netscape. Eventually, the Internet Engineering Task Force (IETF) assumed control of the protocol and renamed it TLS.

There were two versions of SSL that went public: v2 and v3. They're not considered secure any more.

The first version of TLS, v1.0, is also insecure. That's why you need to make certain that your website is using v1.1 or v1.2.

What Does a Web Security Protocol Do?

TLS serves two primary purposes.

First, it encrypts communications between a client and server. That means that eavesdroppers who are trying to steal credit card data or other personally identifiable info (PII) will only see a scrambled mess of characters that make no sense.

Second, it builds trust between the client and server. TLS effectively guarantees that a client is communicating with the server that it intends to communicate with.

How does it do that? With the use of digital certificates. They're kind of like online signatures.

That trust relationship is important because it prevents "man in the middle" attacks.

The Old Protocols Are No Good

As we've seen, the older protocols (SSL v2, SSL v3, and TLS v1.0) are no longer secure. Unfortunately, they're not fixable, either.

That means you can't just patch those old protocols to make them secure. You have to upgrade to a new, more robust version.

At a minimum, you should upgrade to TLS v1.1. That will keep you compliant.

You should, however, go the extra mile. Upgrade to TLS v1.2 if at all possible.

Get a Checkup

So how can you tell which version of the protocol your website is using? Unfortunately, it's not that easy.

The good news, though, is that if you've outsourced your web hosting or digital marketing to a reputable provider, you probably don't need to do anything, as they will take care of it for you. That's especially true if you're using a cloud hosting provider.

Those companies tend to keep up with all the latest trends in digital security. They've got your back.

Still, it's a great idea to call your company's tech support line and ensure that you're using the TLS v1.1 or TLS v1.2.

If your website is running on a Windows 2012 server, you also don't need to do anything. That operating system already uses the latest security protocols.

Once again, though, it's a great idea to contact your tech support team just to be sure.

If your website is running on a UNIX platform, you will definitely need to get some professional assistance to ensure that you're using the latest and greatest versions. There are simply too many flavors and versions of UNIX for a "one size fits all" method of checking for compliance.

The best thing to do, though, is to get an audit from an Approved Scanning Vendor (ASV).

An ASV is a company that's qualified to check your website for security vulnerabilities. It can tell you which protocol version your server is using.

Fortunately, the PCI Security Standards Council maintains a list of approved scanning vendors. It's worth your time to check out that list and find a company that can give you a checkup.

Of course, that kind of service will cost some money. Expect to open your wallet because security isn't cheap.

It's just the cost of doing business these days.

Check Search Console

You can also check the Notifications in Google Search Console to find out if your website is compliant.

If one of your messages tells you that an "outdated version of TLS is being used on the site," then you know that you have some work to do.

Good news, though: Google will provide links that offer instructions about how to upgrade.

Wrapping It Up

Website security isn't just a "nice to have." It's absolutely essential in this Information Age. There are simply way too many high-tech thieves who will exploit any vulnerabilities that exist on your website.

If you haven't checked your server to ensure that it's compliant with the latest security standards, why not do so today?

Published on: Jan 3, 2018