FacebookTwitter

Login Security and SSL Certificates

Browsers (eg Google Chrome, Safari) are always being upgraded and improved. Recently browsers have started highlighting websites which don't have SSL certificates and especially pages where you are asked to enter a password, but the page is not on HTTPS. Here's an example from Firefox.

HTTPS is a secure protocol - in effect it means that all the traffic between you and the website, and most importantly anything you enter on a website form gets encrypted on your device, then decrypted on the website's server which means nobody listening in to your traffic* can find out your password.

At present Spanglefish sites mostly work on HTTP, unencrypted, so you will see these warnings when logging in. To be clear, this doesn't mean you are any less secure than you were last month or last year, just that browsers are being more pro-active in telling you about it.

We now have an SSL certificate for sites on some of our domains - you'll see that the address of this Spanglefish Manual website starts with https://. If you have a Gold site and would like it moved to HTTPS please let us know. This does involve some work by us, so we cannot provide it for free sites on the system.

There is an important issue to note though. We're only able to do so for our domains spanglefish.com, parish-council.com and community-council.org.uk at present. If your Spanglefish site is running on your own domain then you'll need to consider whether you should purchase an SSL certificate for it.

Your domain registrar will charge a certain amount for an SSL certificate, and we at Spanglefish may have to charge for the time it takes to set up on the server. You might expect a cost of £30 per annum.

So you should consider whether this is worthwhile for you. The risk is that someone snooping on your traffic between your computer and our server could grab your admin password. You may consider this risk to be very small, and in general if someone interfered with your website we can reinstate the changes and change the password safely.

However, (for instance) if you have lots of users logging into your admin, for example club members, and you have protected pages with sensitive content on them, then you might think the cost is worthwhile.

But to be clear, the biggest danger is if you re-use passwords. If the one you use for Spanglefish is also the one you use for your bank or your email account then you really must change it.

* You might think listening into your traffic is unlikely, but it's easy for someone with a laptop sharing a wireless network with you (for instance in a café) to view the data you're typing in if the website doesn't use SSL.

 

Examples

  1. You have a website on Spanglefish for your local bowling club. Only you have a login and the password you use is not one you use anywhere else. You only ever log in to administer the site using your home computer which is connected to your router by network cable rather than wireless. You don't have any sensitive data on protected pages on your site.

    There really isn't any security reason why you'd spend money to get an SSL/HTTPS certificate.
     
  2. You're an ex-police officer and set up a website for all of your colleagues to keep in touch. You create protected pages which only administrators can see which lists all the members' phone numbers and addresses. You give all your colleagues passwords so they can view the protected pages.

    Your members might log in from any location using their 'phones or tablets, maybe in internet cafés over public WiFi. Someone snooping on the traffic could get access to a member's password or the telephone numbers etc.

    You may decide that you need the extra security an SSL/HTTPS certificate would provide, so that anyone snooping on the traffic can only see encrypted gibberish.
     
  3. You have a small business selling widgets through Paypal. You have some competitors who sell similar products. It's important to you that a) you do as well on search engines as possible, and b) your customers feel secure making transactions on your website.

    Even though you may feel you don't need an SSL/HTTPS certificate because you only log into your website from your own network, you may still decide to get one for search engine purposes because Google says it will promote sites on HTTPS more than ones on HTTP. And even though you take payments through Paypal and don't collect any customer data on your site, you might feel your customers would be more likely to buy from you if you have the padlock in your address bar.


Note that sites on our new Spanglefish 3 system automatically have SSL certificates.

sitemap | cookie policy | privacy policy | accessibility statement