logo.png
GET GDPR READY

Foregenix Blog

Jake Dennys

Why an SSL certificate won’t protect your website, but FGX-Web will.

,09/10/17 14:24

Having an SSL (Secure Sockets Layer) certificate on your website is important and it's also a good thing to have. The little green padlock in the corner of your browser indicates that your website is legitimate and that any data transmitted between the website and the website visitor will be encrypted. It also results in increased trust from consumers.

Despite this, most people misunderstand what protection the SSL certificate provides to a website and it's visitors. Let me explain...

SSL is a system that encrypts a message between a sender and a receiver to avoid being seen by a third party.  It enables your website visitor to send their data securely to your web server, where it is received and processed. In order to utilise the security of this communication method, your website requires an SSL certificate. You can spot an SSL certified website because the web address will begin with ‘https’ instead of ‘http’.

http.png

Image taken from Comodo

The SSL certificate ensures that communication between your website visitor and your website is encrypted and secure.  This is hugely important, but what needs to be understood is that it only protects the data whilst it’s in transit.

So, what does this mean exactly?

When the customer is making a purchase using your online store, SSL encrypts the transaction data from the point where the customer types in their credit card details and hits ‘Submit’.  When it reaches your web server, this information is decrypted and processed to complete the payment. If someone was to intercept the encrypted data in transit to the web server server they would not be able to use the data as it is encrypted.

When a customer types their card details into the payment page on your website, they can see the numbers and information being typed into the webpage. Its only once they press submit that it gets scrambled to come across the internet.

SSL-1.png

This means that if their PC has malware, someone could be sat harvesting the data they’re typing in. SSL does not protecting them from keyloggers, viruses, trojans, worms or any other kind of malware that has infected their computer. Criminals can still siphon that card data from their PC regardless of the SSL certificate.

In a very similar manner, your website and your customer data is still vulnerable to criminals too. SSL does not provide any form of protection for your website outside of encrypting the transmission of data between your customer and your website. If your website only has SSL and no additional protection measures, you’re leaving it wide open to a targeted attack.

If your website has been hacked and credit card harvesting malware has been planted on your website, the criminals will be able to steal your customer data just as easily whether you have an SSL certificate or not.

Criminals have even found ways to create malicious websites and get them SSL secured with genuine certificates. The idea behind this is that visitors will be more likely to trust the website as a genuine site rather than seeing it for what it is - a malicious site.

Graham Edgecombe from Netcraft told SC Magazine:

"The tech industry has been telling users for years, if you want to enter credit card information on a website make sure it's got a padlock, make sure it's using SSL. But now anyone can go and get an SSL certificate for £5 or so, using minimal information, but it's verified.

All the certificate authorities (CA) will check is that you own the domain name, and that's it. Some of them don't even check that the domain may be misused. One of the rules imposed on certificate authorities is they have to give additional scrutiny to domain names that may be used for fraudulent purposes, but these rules are quite vague."

Whilst SSL encryption is important, it’s more important to take a holistic approach to your website security.

The actual act of securing a website can be a complex process. SSL does not stop attackers from hacking a website.  It will not stop an attacker from exploiting software vulnerabilities or brute forcing your access controls.

FGX-Web is a security solution that bakes-in security to protect websites. Unlike SSL, FGX-Web will actively search your website for indicators of compromise, including credit card harvesting code, webshells, backdoors and other malware and notify you of its presence.  

The solution provides protection and security monitoring to enable online businesses to defend against web based attacks. Alongside this protection it also provides a wealth of analytical information, allowing you access to clear risk profiling.

SSL2.png

 

How will FGX-Web protect your website? Through FGX-Web you have access to:

An advanced web application firewall (WAF)

A WAF will filter attacks out of  incoming traffic before they hit your website. It will examine not only the source of the traffic, but its intention. It can determine whether the person is placing legitimate requests for web pages, or trying to attempt a hack. If an attempted hack is detected, the attack is blocked. Whereas innocent traffic passes freely.

Malware scanning

Our malware scanner runs at minimum every day (it can be set by the user to run a lot more frequently) and is designed to search a website for all known forms of malware, including but not limited to:

  • Webshells
  • Credit card harvesting code
  • Backdoors
  • Spyware

Cardholder data scans

In addition to a malware scan, you also get access to a scan specifically designed to seek out stored, unprotected payment card data on your website. To reduce your risk of data compromise and to maintain PCI compliance, you cannot keep unprotcted payment card data stored on your site. It might not always be the case that it’s been stored intentionally.  Sometimes a customer may put their card information in an incorrect field, or malware is storing the data in a file somewhere for later collection by the criminal. Our scan will detect this data and notify you.

File change monitoring

Using our advanced file monitoring system, we are able to log any and all changes made to your website. If a change is made, we will alert you of the time, date and file location so that you can verify its legitimacy.

Website Security Specialists to call for help

Our team of Threat Intelligence Analysts support our FGX-Web clients on a daily basis - helping to quickly manage threats and protect websites from attacks.  As an FGX-Web client, our team becomes your team.

As you can see SSL protection is simply one of the important components of website protection. The importance of having proper, effective security in place for your website cannot be understated. Hopefully, this article has given you a better idea of what you can do to improve your website's security measures.

TRENDING POSTS

Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Jake Dennys
24/11/17 15:17

Black Friday Sees Website Traffic Increase by 200%

Black Friday is upon us and as I’m sure you know, it comes hand in hand with lucrative tech discounts from across the industry. For businesses ...

Read More

Richard Jones
17/11/17 09:39

Successfully implementing GDPR: Compliance and Awareness

The General Data Protection Requirement (GDPR) is essentially about privacy. It relies on cyber security controls to ensure that legitimately used ...

Read More

Richard Jones
02/11/17 10:33

GDPR – Keeping things simple.

  Type GDPR into Google and you will get just shy of 6 million results. Factor in the complexity of each and every article and it’s easy to see why ...

Read More

Richard Jones
31/10/17 10:27

Data Discovery: The only place to start with GDPR

To those new to GDPR, it may appear like a complex task for which there are so many actions it’s almost impossible to know where to start. I would ...

Read More

Kirsty Trainer
26/10/17 15:02

Improving Cybersecurity in the Contact Center: How to Reduce the Risk of a Breach  [Webinar]

  The negative impact of a data breach has wide reaching consequences, it’s not something that can be solved with a “Sorry” and a slap on the wrist. ...

Read More