Let’s answer this question right off the bat: it’s unlikely. Though not impossible, the chances of an SSL certificate itself being hacked is incredibly slim. However, just because you have an SSL installed, that doesn’t mean your website isn’t vulnerable in other areas. Misunderstandings about an SSL being “hacked” tend to come from confusion about what an SSL actually does for a website. Let’s clear up some of that confusion, shall we?
In this piece we’ll talk about misconceptions about SSLs, the myriad other elements of website security, factors that can weaken an SSL, and what you should keep an out for when browsing the web.
Time to dive in.
What an SSL actually does and doesn’t do
Short for Secure Sockets Layer, SSL is a type of digital certificate you can install on your site to encrypt the connection between your website’s server (where it lives) and the end-users client (very often, a web browser). This means that data sent over this connection is protected, and can’t be read or stolen by any third-parties. As such, an SSL certificate’s main purpose is to protect your website users from fraudulent attacks while their data is in transit, i.e. man-in-the-middle attacks.
On the server end, an SSL certificate does not protect your website from other potential security vulnerabilities, such as problems with website coding, out-of-date software, or issues with your database. It will not add any protection to data that is stored on the server. Likewise, on the client end, it does not give added protection to the browser. An SSL is merely one part of a whole range of things you should be doing to ensure your website is secure.
So, if you have an issue with your website’s security, it might be easy to lay blame on your SSL being “hacked” right off the bat if you are under the impression that it is the be-all and end-all of website security. However, SSLs, while certainly a necessity for websites in this day and age, are just a single cog in the vast machine of website security.
Strengthen your website’s back-end
An SSL alone cannot protect your site if security on the server-side isn’t as hardened or up-to-date as it could be. For things like securing your server or database, network hardening, and DNS auditing, this is a complicated business, and you’ll likely need the help of an experienced system admin or web developer. If you use CMS hosting (like WordPress), some steps you can take to ensure the security of your site are:
- Keeping your CMS up-to-date
- Ensuring plug-ins are up-to-date
- Training staff in data security best practices (such as social engineering attacks)
So, does all this mean that SSL can never be hacked? Not necessarily. There are some instances where SSL can be vulnerable.
Potential SSL vulnerabilities
As we mentioned earlier, ensuring everything in your back-end is up-to-date is key when it comes to avoiding SSL vulnerabilities. Many vulnerabilities you may have heard about regarding SSL (such as POODLE or Heartbleed) are usually due to badly configured servers, out-of-date software, or problems with older versions of TLS (Transport Layer Security) protocol — the protocol your SSL uses to keep your connection encrypted. The most up-to-date TLS protocol is TLS 1.3. If your server or client supports older protocols, they may be at risk of cyber-attacks.
Why is this? Well, TLS 1.3 is faster and more secure than TLS 1.2, the previous version. TLS 1.3 shortens the process of the “SSL handshake” by a few milliseconds and it has also dropped support for the older cryptographic algorithms supported by 1.2, which made it more vulnerable to cyber-attacks.
You should also keep an eye on your SSL’s expiration date. If you forget to renew your SSL before it expires, you users will encounter errors when they try to visit your site. To avoid such a situation, set reminders in your calendar and ensure renewal reminder emails don’t end up in your spam folder.
Remember: a website with an SSL isn’t necessarily trustworthy
For general web users, it’s important to note that a website having an SSL certificate isn’t necessarily a marker that you should trust them with your information. While the connection between your browser and a website may be secure, that doesn’t mean the site owner doesn’t have malicious intentions.
With the growing availability of affordable or even free SSL certificates, it can be tricky to verify the identity of the person on the other side. This is why it’s important to actually click on the padlock to find out more information about the SSL itself and whether or not it was issued for a verified organization. When you click on the padlock and see the company name, this is usually a sign you can trust the site. However, if the identity (company) that purchased the SSL has not been verified, you should be cautious: double-check the spelling of the website domain and search for the valid site online. Typically, legitimate sites are at the top of search engine results, or at least higher than the fake ones.
Phishing sites and malicious sites are unlikely to purchase OV or EV SSL certificates because they require extensive validation and background checks of the person or organization purchasing it. So, when you see the company name in the padlock bar, it means you are safe.
Basically, the more information you can glean from a website’s SSL, the better — especially if they’re asking you to hand over credit card details or any personal information.
Phishing attacks are on the rise and fraudsters are getting more and more sophisticated. If, for example, you get an email claiming to be from Amazon asking you to click a link and log in with your credentials, you shouldn’t trust it just because the site has an SSL certificate. Hackers know that more people these days see the SSL padlock as a marker of trust and will trust it automatically, and so they may include it on their phishing sites, either by getting a free SSL or even a paid one.
As a general guideline, never hand over personal information via links you got through your email. Always go to the legitimate website that is allegedly asking you for these details through email. As well as that, proceed with caution when purchasing from a site that doesn’t have an OV or EV SSL.
Wrap up: ways to protect yourself
If you have a recently issued SSL and keep your hardware and software up-to-date, the chances of having your SSL hacked is incredibly slim. However, as mentioned before, SSL is only one element of website security. If you’re worried about potential SSL vulnerabilities, here are steps you can take to ensure your website and you are as safe as can be online:
- Check if your site has any vulnerabilities by scanning your website using Acunetix Vulnerability Scanner or Qualys SSL Server Test
- Strengthen your website’s back-end
- Disable older versions of the TLS protocol on any applications and operating systems
- Enlist the help of a systems administrator if needed
- Renew your SSL certificate before it expires
- Double-check the SSL credentials of websites that ask for personal information