logo.png
GET GDPR READY

Foregenix Blog

Jake Dennys

Why an SSL certificate won’t protect your website, but FGX-Web will.

,09/10/17 14:24

Having an SSL (Secure Sockets Layer) certificate on your website is important and it's also a good thing to have. The little green padlock in the corner of your browser indicates that your website is legitimate and that any data transmitted between the website and the website visitor will be encrypted. It also results in increased trust from consumers.

Despite this, most people misunderstand what protection the SSL certificate provides to a website and it's visitors. Let me explain...

SSL is a system that encrypts a message between a sender and a receiver to avoid being seen by a third party.  It enables your website visitor to send their data securely to your web server, where it is received and processed. In order to utilise the security of this communication method, your website requires an SSL certificate. You can spot an SSL certified website because the web address will begin with ‘https’ instead of ‘http’.

http.png

Image taken from Comodo

The SSL certificate ensures that communication between your website visitor and your website is encrypted and secure.  This is hugely important, but what needs to be understood is that it only protects the data whilst it’s in transit.

So, what does this mean exactly?

When the customer is making a purchase using your online store, SSL encrypts the transaction data from the point where the customer types in their credit card details and hits ‘Submit’.  When it reaches your web server, this information is decrypted and processed to complete the payment. If someone was to intercept the encrypted data in transit to the web server server they would not be able to use the data as it is encrypted.

When a customer types their card details into the payment page on your website, they can see the numbers and information being typed into the webpage. Its only once they press submit that it gets scrambled to come across the internet.

SSL-1.png

This means that if their PC has malware, someone could be sat harvesting the data they’re typing in. SSL does not protecting them from keyloggers, viruses, trojans, worms or any other kind of malware that has infected their computer. Criminals can still siphon that card data from their PC regardless of the SSL certificate.

In a very similar manner, your website and your customer data is still vulnerable to criminals too. SSL does not provide any form of protection for your website outside of encrypting the transmission of data between your customer and your website. If your website only has SSL and no additional protection measures, you’re leaving it wide open to a targeted attack.

If your website has been hacked and credit card harvesting malware has been planted on your website, the criminals will be able to steal your customer data just as easily whether you have an SSL certificate or not.

Criminals have even found ways to create malicious websites and get them SSL secured with genuine certificates. The idea behind this is that visitors will be more likely to trust the website as a genuine site rather than seeing it for what it is - a malicious site.

Graham Edgecombe from Netcraft told SC Magazine:

"The tech industry has been telling users for years, if you want to enter credit card information on a website make sure it's got a padlock, make sure it's using SSL. But now anyone can go and get an SSL certificate for £5 or so, using minimal information, but it's verified.

All the certificate authorities (CA) will check is that you own the domain name, and that's it. Some of them don't even check that the domain may be misused. One of the rules imposed on certificate authorities is they have to give additional scrutiny to domain names that may be used for fraudulent purposes, but these rules are quite vague."

Whilst SSL encryption is important, it’s more important to take a holistic approach to your website security.

The actual act of securing a website can be a complex process. SSL does not stop attackers from hacking a website.  It will not stop an attacker from exploiting software vulnerabilities or brute forcing your access controls.

FGX-Web is a security solution that bakes-in security to protect websites. Unlike SSL, FGX-Web will actively search your website for indicators of compromise, including credit card harvesting code, webshells, backdoors and other malware and notify you of its presence.  

The solution provides protection and security monitoring to enable online businesses to defend against web based attacks. Alongside this protection it also provides a wealth of analytical information, allowing you access to clear risk profiling.

SSL2.png

 

How will FGX-Web protect your website? Through FGX-Web you have access to:

An advanced web application firewall (WAF)

A WAF will filter attacks out of  incoming traffic before they hit your website. It will examine not only the source of the traffic, but its intention. It can determine whether the person is placing legitimate requests for web pages, or trying to attempt a hack. If an attempted hack is detected, the attack is blocked. Whereas innocent traffic passes freely.

Malware scanning

Our malware scanner runs at minimum every day (it can be set by the user to run a lot more frequently) and is designed to search a website for all known forms of malware, including but not limited to:

  • Webshells
  • Credit card harvesting code
  • Backdoors
  • Spyware

Cardholder data scans

In addition to a malware scan, you also get access to a scan specifically designed to seek out stored, unprotected payment card data on your website. To reduce your risk of data compromise and to maintain PCI compliance, you cannot keep unprotcted payment card data stored on your site. It might not always be the case that it’s been stored intentionally.  Sometimes a customer may put their card information in an incorrect field, or malware is storing the data in a file somewhere for later collection by the criminal. Our scan will detect this data and notify you.

File change monitoring

Using our advanced file monitoring system, we are able to log any and all changes made to your website. If a change is made, we will alert you of the time, date and file location so that you can verify its legitimacy.

Website Security Specialists to call for help

Our team of Threat Intelligence Analysts support our FGX-Web clients on a daily basis - helping to quickly manage threats and protect websites from attacks.  As an FGX-Web client, our team becomes your team.

As you can see SSL protection is simply one of the important components of website protection. The importance of having proper, effective security in place for your website cannot be understated. Hopefully, this article has given you a better idea of what you can do to improve your website's security measures.

TRENDING POSTS

Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Richard Jones
14/02/18 11:14

Foregenix Partner With Ground Labs To Strengthen GDPR Services

The clock is ticking and we are swiftly moving toward the GDPR deadline, with organisations of all shapes and sizes preparing themselves for the new ...

Read More

Jake Dennys
12/02/18 15:18

5 Steps To Make Your Travel Agency PCI Compliant

PCI compliance is no easy feat, it can be a challenge to obtain, but results in lasting consumer trust and peace of mind knowing their data is ...

Read More

Kirsty Trainer
07/02/18 12:34

Foregenix expands into Brazil with new São Paulo office

After an exciting growth period in 2017, we were able to officially launch Foregenix in Australia, extending our service delivery into the land down ...

Read More

Jake Dennys
06/02/18 09:30

Foregenix aim to help travel agents meet IATA accreditation deadline

Travel agents are in a  race against time to meet IATA’s deadline for PCI DSS compliance. They've been given the deadline of March 2018 to become PCI ...

Read More

Benjamin Hosack
05/02/18 13:45

Foregenix expands APAC presence with Dan Ball, Territory Manager. 

Foregenix has further expanded their APAC presence with the addition of Dan Ball to the team as a Territory Manager in Australia, with ...

Read More