The current standard for websites is that eCommerce sites are expected to obtain an SSL (secure socket layer) certificate, displayed as ‘https’ in the browser’s address bar with a padlock. These certificates are usually applied to the payment or login section of a site only. However, leading organisations such as Twitter are calling for all website owners to adopt a new standard.

 

Figure above: Leading organisations such as Twitter are calling for new security and privacy standards for all websites.

Technology is evolving at a rapid pace and the technology to unravel and analyse information has never been more abundant. What was once seemingly unidentifiable information can now be whittled down to a single individual. The growing accuracy of data analysis through Big Data and website security breaches are causing people to become increasingly weary of the information they send through the World Wide Web, particularly credit card information. “People are definitely more conscious of their security and privacy online,” commented Kareem Tawansi, CEO of software development provider, Solentive Software.

The current security standard is that website owners protect website pages that receive credit card information. However, leading organisations such as Twitter are urging all website owners to put security measures in place to protect user privacy, including the addition of an advanced layer of protection known as ‘forward secrecy’.

Forward secrecy prevents attackers from gaining unauthorised access if they happen to crack or steal a key. Under traditional HTTPS, an attacker who has managed to steal a session key could use it to decrypt the entire session. Forward secrecy continually creates individual keys as new sessions are opened, making it impossible for an attacker to use it as a master key.

“Website owners have the responsibility to protect the information provided to them on their websites. Organisations need to consider the ramifications of what would happen if the information ended up in the public domain, particularly any website that sends or receives sensitive information. This is a good test to determine the importance of implementing security measures to prevent this from happening,” advised Tawansi.

“Data has become a commodity over recent years. People have become increasingly weary of how they handle their personal information and how they manage their privacy,” commented Craig Moore, Lead Architect at Solentive Software.

“Any website that requires a password or any website where sensitive information is entered, should be protected with an SSL certificate. If there is no SSL certificate, the data that is sent and received is not encrypted. This means if a ‘man-in-the-middle’ attack occurs during transmission, the information stolen will be in plain text and this could be valuable information.

“Some people may think that the information contained in their accounts is not important data, however there are chances that the password used is the user’s standard password. Once an attacker gains access to this, they could potentially use it to login to other accounts with highly sensitive information. Even browsing a website can reveal personal information about a user, such as when they will be away from their home if they’re looking at accommodation. This information can be used to build a profile or even used to gain unauthorised access,” continued Moore.

Why then, are most websites not hosted over https? “In the past, hosting an entire website over https would slow it down. However, these days, computers are faster and people are well-connected over the internet. The effect on the website’s performance is negligible so there is no reason why hosting an entire website over https should not become the industry standard,” noted Moore.

“As for forward secrecy, I wouldn’t recommend it for all sites at the moment but I strongly recommend it for sites with extremely sensitive content or sites that store a large amount of private or personal data including banking or financial sites,” offered Moore.

Other measures organisations can take to protect user privacy and security include:

    • Ensure that there are no old webpages that hackers can exploit to gain access
    • Manage data correctly and ensure that it is secure in the back-end
    • Encourage users to use complex passwords with a combination of numbers, upper and lower case letters, and special characters

People are constantly connected to information via the internet and they are continuously seeing news stories about security and privacy breaches. They are more aware of what could happen to their information and many non-technical users, particularly Generation Y, have learned to locate padlocks when entering credit card details. As users become more educated, they will start to expect a certain level of protection when browsing websites. Confidence in the site’s credibility is instilled in users when knowing that the site has been verified by an authority, and this will no doubt become the new industry standard.