Be secure – use HTTPS

2018 is the year we should say goodbye to an unencrypted web

While several years ago the term “encryption” was mostly related to banking and other high-security enterprises, recently there is an urgency to modernise the Internet to be encrypted by default. It is no longer a fancy and expensive addition to a website, you should take up this trend and get rid of insecure legacy systems. Web browsers are campaigning against an unencrypted web, so https will be mandatory a few years from now. Don’t hesitate, get ahead of your competition and protect your business – not only customer portals, all of your websites.

The benefits

Confidence. Your data is secure during transit – it is not possible to eavesdrop and steal your secrets. While this is essential for login and registration forms, especially with the incoming GDP Regulation, you would not want your Quote Request Form contents leaked to a criminal, would you? Or someone to intercept the traffic and change its contents? As practice shows, this not only applies to so-called hackers, even respectable ISPs can go as far as to inject ads into user (unencrypted) traffic:
https://www.infoworld.com/article/2925839/net-neutrality/code-injection-new-low-isps.html

You should definitely want your users to only see your approved content, so make sure they see the green padlock:

Performance. Many years have passed since SSL incurred a heavy CPU load on web servers, and was therefore avoided as costly on a large scale. This apparent savings actually did a lot of harm to many worldwide companies, as not only passwords are considered secret. The opportunity to steal authentication secrets peaked when FireSheep appeared. It was a relatively simple browser addon that allowed inexperienced users to ‘hack’ their neighbors Facebook and Twitter accounts:
https://www.computerworld.com/article/2469683/endpoint-security/firesheep-addon-allows-the-clueless-to-hack-facebook–twitter-over-wi-fi.html
On this day large enterprises said ‘enough’ – SSL is mandatory, everywhere, always.
From this movement, many improvements to web protocols were born, most importantly HTTP/2. A solution that actually allowed encrypted websites to be delivered faster than unencrypted ones – and thus cheaper. See for yourself at https://www.httpvshttps.com/

SEO. Always wondering how to jump a few positions higher on the search results? SSL will help, as the main search engines already promote encrypted websites. Install the certificate, you will kill two birds with one stone:
https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

The troubles

Just installing the certificate may not be enough. Remember, security is a process, not a product, it constantly changes. You should update your software frequently and keep an eye out for recent developments in the SSL area, as there were numerous issues in the past years forcing updates to the protocol. BEAST, BREACH, CRIME, FREAK, Heartbleed, Logjam – just to name the more known ones. So be sure to use validation tools to frequently check if everything is as good as it can be. The best one we can recommend is https://www.ssllabs.com/ssltest/

Common configuration issues to watch for:

  • Insecure TLS Renegotiation – a back door to lower your security
  • RC4 Cipher and old SSL 2.0/3.0 Protocols – no longer provide enough encryption level
  • Self-signed certificate, often installed ‘just for testing’ and forgot
  • Expired certificate, this is quite common as time passes unexpectedly fast
  • Mixed content on the website, so you should communicate about this with the developer
  • Soon, the TLS 1.0 Protocol will also be considered insecure

And remember – the attacker will always be a motivated and resourceful person. No attacks happen by accident, most are the result of willful ill intent against you personally or against the Internet in general, so no one should feel safe from them. It’s like backups – you are not aware how important they are unless you desperately need one.

Our solution

From the day we started our onCloud offering, https was the only option.
https://www.ssllabs.com/ssltest/analyze.html?d=demo.s.xtrf.eu

We believe that by following security recommendations, we are a trusted partner to your business. As the requirements grew, we deprecated TLS 1.0 on our hosting (https://xtrf.userecho.com/knowledge-bases/6/articles/952-tls-10-deprecation) and HTTP endpoint in our product when deployed on-premises (https://xtrf.userecho.com/communities/4/topics/544-discontinued-features-in-xtrf-7)

Using hosted XTRF, you can forget about all the difficulties and just focus on the benefits. Our administrators are here to take care of it.

Whether you’re on a company network or hostile public wireless network – with us your translation business will perform uninterrupted.

Marcin Jakubowski
Maintenance Manager
Working at XTRF for 10 years, the architect of the onCloud service, sysadmin, security expert and problem solver.
Privately a wine enthusiast.
XTRF

• WEBINAR •

How to grow your KPIs?

Tuesday, December 11
4:00 PM CEST