There’s a fine balance in the world of IT with security. On the one side, the systems we build and maintain have to be secure enough to resist even the most persistent hackers, but we also must make sure security measures are passive enough that our normal users don’t feel overly burdened. Having been on both the giving and receiving end of security over the past few months with web sites, credit card processing systems, banks and others, I understand the reasons and frustrations from both side.
What this leads me to is how security is applied on a web site. The normal means of making a web site “secure” is to make sure your data is encrypted from server to user through the use of an SSL (Secure Socket Layer) certificate.
Unfortunately, when trying to use an SSL certificate, we’re presented with numerous challenges, the first of which is the acquisition of the certificate. When it came down to it, we just wanted to be able to encrypt our data streams to keep sensitive data, such as user names and passwords, from going out open channels. This seems pretty reasonable, but then we discovered that ALL SSL certificates are bundled. Not only do they provide the encryption, but they also require proof of ownership and of business making us jump through those security hoops to get something we weren’t looking for.
Another interesting bit that we discovered, is that SSL certificates are typically only purchased for sub-domains, so even though you have to purchase a domain, you have to buy a separate SSL certificate for each sub-domain within it, or spend a lot of money to get one certificate that does your entire domain. Due to the number of sub-domains we host, this was our only option but again, this seems like we had to purchase way more than what we needed.
Some may ask, “Why buy these certificates when you can just make your own?” The answer was simple really….Internet Explorer. In Firefox, there was a three-step process to tell the browser that we wanted to accept the home-made certificate and that we didn’t need a CA (Certificate Authority) to verify that we were where we thought we were. In Internet Explorer, even though the Certificate was downloaded and the exception noted, it still prompted us every time we went to one of the secure sub-domains to make sure we wanted to go there. This pushed us beyond the level of reasonable burden. And since we also want to deploy our security to our online training registration system, it also means that most registrants would be forced to deal with the headache of dealing with those exceptions, which puts that burden on our customers as well.
So, with this major purchase we are able to secure all of our sub-domains and we can now prove that we are who we say we are, much of which is beyond the original scope of work that we were trying to accomplish which was just to provide encryption between our webs servers and clients to protect logins and passwords. Using the registered Certificate Authority means there is no burden on the users, the browsers know what to do and our data is secure both ways.
Ultimately, the price is probably worth the sense of security and peace of mind for our customers.
