SSL (technically, TLS) is important because it enables users to keep sensitive information sent across the Internet encrypted so that only the intended recipient can decrypt and understand it, as well as providing data integrity against tampering and forgery.
SSL certificates help facilitate this encrypted connection, and while this practice isn’t new, it’s overwhelming how many service providers still aren’t up to scratch! As you might expect banking websites have been using SSL for years, but worryingly more often than not, they’re not as well setup as perhaps they should be!
Having poked about I’ve discovered that a couple of well known banks have worryingly low SSLLab scores.
Expensive doesn’t necessarily equal better when it comes to SSL. How the SSL is configured is far more important than price: often the varying costs relate to how much the insurance payout is if the certificate authority loses its secrets or incorrectly issues a certificate.
Getting a site up to A+ rating can be done by following one of the many straight forward guides online and can be done by anyone who’s happy configuring servers. Sysadmin teams for global banks shouldn’t be having issues here! For tips on how to get strong SSL encryption be sure to check out this great post on getting an A+ for Qualy’s SSL Test by Scott Helme, or for the lazy, or those using Ansible use this Nginx config file.
While groups have been campaigning to use SSL as standard for several years, only recently have services such as Let’s Encrypt made this a frictionless joy. Let’s Encrypt is a new Certificate Authority that sells itself as free, automated, and open. Developed by the Internet Security Research Group the service means securing your site is free and simple – so if cost and complexity were your excuses, find new ones!
We’ve started using Let’s Encrypt certificates in some of our production APIs and so far it’s working out really well!
Not only is Let’s Encrypt awesomely free, but it also allows you to automate the renewal process. This means you don’t need yearly reminders to shop around and renew certificates. This automation also allows new virtual machines to be spun up programmatically—with valid certificates—without having to manage the distribution of secret keys.
If you’ve been putting off switching servers to SSL then hold off no more: as of earlier this year, Let’s Encrypt is out of beta and gets two big thumbs up from us.