It is much easier to create a website today than it was 10 or 15 years ago. Content management systems (CMS), website builders, static site generators, and other similar tools reduce the amount of friction involved in creating and maintaining websites. Is there, however, a cost to such convenience?
One of the drawbacks of providing such services to the masses, in my opinion, is the formation of misconceptions. The most common misunderstanding is regarding what distinguishes a secure website from one that is not. Websites that do not use SSL certificates, for example, are marked “Not Secure” in the address bar with the release of Google Chrome version 68.
A website with an SSL certificate, on the other hand, is not always a “secure” website. SSL encrypts data between the visitor and the web server, but it does not secure the website from hackers. There is more to it that website owners should be aware of if they want their site to be truly secure.
Website security is more comprehensive than HTTPS/SSL alone and should be treated as such. HTTPS/SSL is one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensuring your visitors are safe if you do not take other actions to ensure a secure environment.
I can imagine that the reason why some people get SSL confused with website security is that HTTPS/SSL provides:
- non-repudiation” of the party& – answering the question is that really you?
- integrity check (unchanged)
- privacy (unseen) of the data in transit.
To sum it up, in an HTTPS website, data in transit is protected, but the website itself can still be vulnerable.