If the UK economy is so far shaking off nervousness following the vote for Brexit, it is at least partly down to online shopping. The recent 14-year high in annual retail sales growth reported by the Office of National Statistics (ONS) is supported by average weekly spending online of £1bn in October – up more than a quarter on the same month last year.
That spending relies on consumer confidence – and not in terms of the economic outlook. It is important that shoppers feel that transactions are secure. That is why SSL (Secure Sockets Layer) technology and its successor, TSL (Transport Layer Security), were invented. Encrypting sensitive data such as payment card details sent between web browsers and servers, SSL is designed to make online shopping safe.
In practice, the system works by using SSL certificates issued to ecommerce businesses by third party providers such as Comodo and Symantec. These both verify ownership of the website for which they are issued and encrypt the data. If online shopping is to continue to grow, this system of certification – and, crucially, the way businesses manage their certificates – is only going to become more important.
A renewed focus
There are two principal reasons for this. The first is the growing range of risks both consumers and businesses are susceptible to today, reflecting the general expansion of cyber crime.
Long gone are the days when the greatest danger to businesses was a profiteer registering a domain name with the company’s name in the hope of extracting payment from the brand owner. Risks now range from attackers stealing or forging SSL certificates to impersonate a business’s website, to inadequate encryption or expired certificates enabling criminals to eavesdrop on traffic through wireless networks. The scale of the attacks can be significant. In 2014, it was reported that Russian criminals had used an SSL/TLS certificate belonging to a top five global bank to steal 80 million customer records, for example.
Failure to ensure robust SSL certification opens customers up to theft and fraud, and exposes retail businesses to substantial regulatory, reputational and financial risks of their own.
The second reason businesses are under increasing pressure to take SSL security seriously, however, is simply that the Internet’s gatekeepers – browsers and search engines – increasingly do so.
Consumer education is essential to bolster online security, and some efforts have been made in the form of mainstream browsers adding visual cues to indicate SSL connections in addition to the “https” (as opposed to the usual “http”) prefix to the web address. The most common, of course, are the well-known small padlock image or a green background colour added to the address bar.
The introduction of this has already had a significant impact on consumers. In a recent survey of close to 2,000 UK and US Internet users by international payments service provider Computop, more than seven out of ten respondents said that they checked ecommerce sites were protected by SSL. Many of the remainder who said that they do not proactively check are nevertheless likely to be among the 90 per cent in another survey who say they abandon a transaction when warned of an expired or misconfigured SSL certificate.
The importance consumers attach to SSL certificates is likely to grow as the big browser companies look at ways to enhance awareness. Google, whose search engine algorithms already rank SSL sites more highly than unsecured sites, is due to overhaul indicators for website security in Chrome, the world’s most widely-used web browser. From January 1, non-SSL sites collecting passwords or credit card details will be explicitly labelled as “Not secure” in the address bar.
“Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you,” the company explained in a statement in September.
Over time, the company plans to label all http pages as non-secure and change its security indicator for them to the red triangle currently used for broken https pages.
A digital asset
Despite the growing importance browsers and consumers attach to certificates, however, significant evidence suggests that they are poorly managed by even (and perhaps especially) the biggest businesses. A number of search engine internet giants have forgotten to renew their website’s SSL certificates at some point in the past.
Many are left unprotected despite the fact that an expired SSL certificate could increase risk of a security breach. On the one hand, the customer connecting to the website has no assurance the key owner, the server, is still keeping the key private. On the other, an expired SSL certificate is no longer monitored by the third party that issued it; if the encryption has been compromised or is in other ways no longer safe, neither the customer nor the retailer will know.
In part, these lapses in security are simply due to the growing number of keys and certificates, of which SSL certificates are a major but not a sole contributor. Companies must manage these for not just web servers but also network appliances and cloud services, for example. SSL/TLS itself is used for securing web browser sessions, but also email servers and other tasks. According to a report published by The Ponemon Institute last year, the average number of keys and certificates used by companies has grown to 24,000 for an average enterprise.
The increasing importance of such certificates to the smooth and safe running of the business simply strengthens the case that they should be carefully managed, however. Yet, to take another statistic from the Ponemon Institute, 54% of IT security professionals admit they do not know where all their organisation’s keys and certificates are located. As the report noted, this “means they don’t know how they’re being used or what should be trusted”.
This is not so much an IT challenge as an administrative one. As a first step, retailers simply need to know what SSL certificates they own, where they are held, how they are secured, and when they must be renewed. As the periods for which SSL certificates are issued have shortened this has become more challenging, but it is not impossible.
Ecommerce businesses already track their physical assets; IT departments keep records of the serial numbers of company-issued laptops and finance will even track them for depreciation. Intangible assets, such as intellectual property, are also carefully monitored and protected. For those reliant on the internet for a significant part of their revenue, SSL certificates are key digital assets and deserve the same treatment. In short, retailers need to take SSL seriously, because their customers, as well as the criminals who target them, already do.
Mark Flegg is global product director of domains and security at CSC