SSL certificates are quickly becoming the fabric of the new web. It helps ensure that the web has a base level of privacy and integrity, while ensuring that information is transferred from point A to point B securely. It’s one of the core tenants of security for any modern website.
As we, as an industry, march towards 100% HTTPS adoption, we turn our focus to some of the new challenges we can anticipate. From my perspective, the one very blatant issue is going to come in the form of certificate management.
Unlike Hypertext Transfer Protocol (HTTP), HTTPS is not a default configuration in most of today’s web servers. What this means is that the responsibility falls on the everyday website owner to manage and maintain their certificate through its entire lifecycle.
Why is SSL certificate management important?
A perfect example of the impacts of poor certificate management can be found in this past week’s reporting on the state of US Federal websites that are now inaccessible because of expired certificates.
For those unaware, the US Federal government is currently shut down. This means that only essential workers are available, and all non-essentials workers are on furlough. The impacts of this have been felt across the entire federal government and have affected network and system administrators across multiple agencies.
This has led to the certificates on websites of the U.S. Department of Justice, NASA, and the Court of Appeals to expire; a result of some 80 SSL certificates expiring on .gov domains:
The above image is what online visitors are presented with when a certificate expires. It highlights the fact that connection is no longer private. When the user clicks on Advanced, they are presented with the following message:
“ows2.usdoj.gov normally uses encryption to protect your information. When Google Chrome tried to connect to ows2.usdoj.gov this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be ows2.usdoj.gov, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.”
The message is designed to deter the user from proceeding and depending on your browser (Chrome in this example) the user cannot access to the website.
For an organization like the US Federal government, the impact will be minimal. These websites are traditionally informational in nature, designed to educate and inform their visitors. They don’t depend on web traffic.
The same cannot be said for the small businesses we service. The impact to these small businesses can be exponential resulting in negative economics (e.g., no sales) and lost trust with your online subscribers and shoppers.
It takes a long time to build a relationship with our audience, but a heartbeat to lose that same relationship.
Tackling certificate management for the small business
Certificate management is not a new concept, it’s been around for a long time within the enterprise ecosystems. Large organizations invest heavily into certificate management, ensuring that critical external and internal systems never have certificates fail.
The US government is no different, and yet their current certificate issues amplify the importance, and challenges, associated with certificate management.
This, though, has not always made its way to the everyday website owner.
Over the past 12 months we have been conceptualizing a new service at GoDaddy known as Managed HTTPS (a.k.a Easy SSL). This is a productized, white-glove, service designed to help streamline the deployment, configuration and management of a websites SSL certificates.
The service is designed to offer the following:
- Issue a certificate
- Deploy it on your server
- Configure the application (e.g., WordPress, Magento) to make use of the SSL certificate
- Continuously monitor the certificate to make sure there are no issues
- Ensure it is always renewed and never expires by accident
The service brings certificate management to the masses and offers websites owners an “easy” button when it comes to their SSL certificates. Through this service, our customers no longer have to take on the ownership of ensuring HTTPS is functioning correctly and takes us one step closer to making security seamless and transparent.
In short, the service is designed to ensure that your sites never suffer the same fate as that of the US Federal government.