Imagine locking the front door to your home but leaving the back door wide open. That is essentially what happens when websites use Intermittent SSL, to protect only certain pages, like logins and transactions. Some companies think they are protected against data theft and hacking by only applying Intermittent SSL to some areas of their website, but, they are really leaving the rest of their site completely exposed and vulnerable to attacks.
Get Higher Search Rankings In Google
One major endorsement of enabling always on SSL came from Google on August 6th, 2014 via its online security blog. The plan is to give more weight (better search ranking results) to websites that are fully HTTPS encrypted.
The reason is pretty simple, according to Google webmaster trends analysts Zineb Ait Bahajji and Gary Illyes. "We’d like to encourage all web site owners to switch from HTTP to HTTPS to keep everyone safe on the web. A big part of that is making sure that web sites people access from Google are secure." Their message couldn’t have been clearer : “We hope to see more web sites using HTTPS in the future.” It’s about encouraging websites to change the way they protect themselves for the better - and to fully protect data in transit all over the internet.
Protecting the Entire User Experience
Enabling always on SSL is a fundamental, cost-effective security measure that provides end-to-end protection for website visitors. It is not a product, service, or replacement for your existing SSL Certificate, but rather an approach to security that recognizes the need to protect the entirety of a user’s session, not just the login screen. Always On SSL starts with the site-wide use of HTTPS, but it also means setting the secure flag for all session cookies to prevent their contents from being sent over unencrypted HTTP connections. Additional measures, such as Extended Validation (EV) and HSTS, can further strengthen your infrastructure against man-in-the-middle attacks.
Set The Secure Flag For All Session Cookies
A session cookie can be set with an optional “secure” flag, which tells the browser to contact the origin server using only HTTPS whenever it sends back this cookie. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents. This measure helps prevent cookies from being sent over HTTP, even if the user accidentally makes (or is tricked into making) a browser request to the Web server via HTTP.
Enhance Security & Trust With Extended Validation (EV) Certificates
For stronger protection against exploits we recommend that websites consider deploying Extended Validation (EV) SSL Certificates. EV secured sites undergo a rigorous verification process established by the CA Browser Forum, a collaboration of more than 30 leading certification authorities and browser software vendors.
This verification process confirms the identity and existence of website operators using reliable third party sources. Users visiting a website secured with an EV SSL Certificate will see a green bar and the organization's name in the URL bar, providing visual reassurance of the website operator's identity.
Implement HSTS To Prevent Active Attacks
HTTPS connections are often initiated when visitors are redirected from an HTTP page or when they click on a link (such as a login button) that directs them to an HTTPS site. However, it is possible to launch a man-in-the-middle attack during this transition from an unsecured connection to a secure one, either passively or by tricking a victim into clicking an HTTP link to a legitimate website (via a phishing email, for example).
The strongest defence against these types of attacks is to implement HTTP Strict Transport Security (HSTS) for your website. This specification defines a way for websites to declare themselves accessible only via secure connections, and/or for users to be able to interact with given sites only over secure connections.