We just had an interesting conversation over the phone with a Joomla website administrator. The conversation went like this:
– “Hi. My name is [customer name] and I work at [company name] and I’m calling you because I heard that you are experts in Joomla security.”
– “That is true”, we said, “How can we help you?”
– “Well, my hosting company wants to sell me an SSL certificate – claiming that my company’s Joomla website will be completely secure and literally unhackable when an SSL certificate is installed, is this correct?”
– “Ummm, no…” – and then we explained to that person 2 things – 1) an SSL certificate has nothing to do with the security of the actual website and 2) hosting companies know very little on how to secure a website (if that wasn’t the case, then our client list would be much smaller than it is right now).
Now you might be thinking, what are these guys saying? SSL is short for Secure Sockets Layer, so it must have something to do with security. Well, let us explain, in layman terms, what an SSL is…
Let’s assume that you are a father (by the way, if you are really a father, then congratulations, father’s day is next Sunday!) and that you are talking with your son (who lives on the other end of the city) using home phone at around 8 PM. You are having one of those “father-to-son” conversations. Your nosy wife, who can’t stand not knowing everything and anything, picks up the other handset and starts eavesdropping.
By default, any request that you submit to a website with no SSL certificate is similar to the above conversation – anyone with the right tools can know the information that you are sending to the website and that the website is sending to you.
Now, let’s assume that over the years you have developed a new language that only you and your son know – let’s call this language the Martian Language. So, if you spoke over the phone with your son using the Martian Language, then there is no way your nosy wife can understand what you’re saying. Using a website with an SSL certificate installed is identical to this scenario, the information transmitted to the website is encrypted in such a way that only that website and your browser can understand it – and no one else. The same goes for the information transmitted from the website to your browser.
So, in other words, an SSL serves to encrypt the information transmitted from and to the website – and has nothing to do with website security itself. In short, an SSL certificate offers nothing to protect your website from hacks!
So why do some hosting companies say that an SSL certificate will protect your website?
Unfortunately, there are many unethical hosting companies out there that capitalize on their clients’ sensitivity towards the security of their websites. So they throw at them all kinds of products that they (their clients) may or may not need claiming that these products can make their websites more secure. As a rule of thumb, be very wary of a host that gives you a special deal about a product that is guaranteed to have positive results on your website – regardless of what that product is. Most likely that product is something that you don’t need claiming to do something that it can’t do.
So, when is an SSL certificate really needed?
An SSL certificate is needed when you are requesting sensitive information on your website (such as credit card information, SSN, etc…). In fact, an SSL certificate is a must to meet PCI standards (note: we do offer a service to make a Joomla website PCI compliant – check it here) if you want to do business online.
Now – if you are unsure on how to make your Joomla website more secure, then why don’t you contact us? We are experts in Joomla security, we charge a very affordable fee, and we are the friendliest developers on this planet!