Is SSL enough for your security?

Can HTTPS be secured with SSL?

One of the most commonly asked questions about HTTPS on websites is can we use it to secure our servers?

We know that HTTPS will not protect you from a Man-in-the-Middle attack, and you can only trust what you see coming in via your browser. However, if your website is accessed by someone else's browser - your visitors could just as easily read whatever is coming back to them from the server as what you do. You could put in a secret message in your web page, but then it would not be visible in the browser.

Most websites today use HTTPS to send the content of the page back to the user. It looks like this: The site is secure

The site is secure

. As you can see, the site is secure and the browser displays a green padlock. However, if someone else's browser comes to the same site, they will also see the green padlock and think everything is okay, even if it is not.

So let's take a look at what an attacker would see. The attacker is probably using a malicious browser, or a tool such as Fiddler, Burp, etc.

In this case, the hacker has set up his own SSL certificate, which means that it does not work with the real web server. This is what a standard SSL connection looks like: When connecting to the SSL server, the hacker is still using a normal browser, but it looks like this: So in order to see the green padlock, the attacker has to add the fake web server's certificate to his list of trusted certificates. An attacker can do this very quickly with a number of tools, and in a few seconds you will get the green padlock. However, what happens when you visit your website on another browser? You will not get the green padlock. If you click on the green padlock, you will get an error, as shown below:

What happens next is that the browser tells the web server that you do not trust it, and this can have serious consequences for your website. It is possible to make your website use HTTPS but forgo SSL encryption.

Is SSL enough for your security?

In the last month, there have been at least 3 reports of fraudulent website owners abusing the SSL Certificate scam.

In all cases, the site was listed as Secure on the browser and SSL Certificates were valid. The problem was that the site had been served content from an IP address that is located in Russia or China and therefore is not eligible for an SSL Certificate.

In fact, only .COM and .ORG domains are eligible for SSL Certificates in the US. I don't know if other countries have similar restrictions.

How does this happen? Usually, it happens because a third-party reseller who is willing to cut corners will sell a bunch of certificates at a discount and the fraudulent website owner purchases them, thinking they will get the cheapest price possible. The reseller does not want to verify the validity of the domain name for the reseller/seller is not responsible for the certificates.

If you do the same thing, it will be really easy to get caught. When you get the certificates, it is easy to download the information on the domain, then go to and click the Whois Lookup button. From there, you can click the link in the text box at the bottom of the page to pull up the domain's certificate details.

And I don't mean the cheap ones. The problem is that a few of them will be flagged with red text that will say something like this domain is ineligible for a certificate. I've had to take a few back when people did this and they don't even know why.

To make sure you're getting a certificate that is valid, you need to contact the domain's registrar and find out if the domain has any restrictions that will prevent you from getting an SSL Certificate. You also want to verify the domain's WHOIS records before purchasing the certificate, just in case the seller tries to mislead you.

Does SSL make your website secure?

No.

Your website, and every web page on it, is encrypted as soon as the web browser connects to the web server. SSL encryption is a process that encrypts data (like letters) from being read by people who aren't supposed to read it, such as other computers or people in transit (say, for example, between the bank website and your web browser). It's meant to be used when you send information between your website and other servers, such as when you visit a bank website, or when you click on a Google search result that sends the results back to your browser. It encrypts the traffic in a way that makes it harder to look at the data, since it looks like gibberish. However, even with SSL encryption, it's still possible for a hacker to look at the content of any of the data that was sent from your website to the server, if they have access to the server.

But even if your website isn't behind an SSL-enabled site, you can make your web pages safer by using HTML tags that don't pass on cookies unless the cookie is marked as secure. You can mark a cookie as secure by adding https:// to the URL of the page that the cookie comes from. By default, cookies are not marked as secure.

How can I get a lock on my house? You don't need a padlock or a key to put a lock on your house. Locks are meant to keep other people from being able to steal your property. The locks and keys only provide security for your property. If your house is being sold, or if your property is not on the market, you don't need to worry about locks.

However, if you're selling your home, or if you want to lock up a garage or storage unit, then it's a good idea to use a lock on your property. Locks are useful because they prevent people from stealing your possessions. But if your car or your laptop gets stolen, you will have lost a lock, a set of keys, and a couple of bucks. Locks are very expensive, so if you lock your car or your home, you'll want to buy a good one that will last.

Related Answers