Privacy 08-27-2014

Always-On SSL Means New Life for Privacy and Security Online

Flavio Martins

With the amount consumer dependency on technology services today, it’s critical that enterprises take the necessary precautions to ensure that security and privacy are key elements. Doing this will enhance their customer relationship and lead to greater trust in enterprise services.

Forrester recently reported that 84% of users don’t believe enterprises are doing enough to protect their data, and nearly 25% of users backed out of a purchase online because of security concerns.

Privacy is Not Dead

People’s personal privacy matters, and information security has a real effect in how customers do business today. Despite the growing number of reports of improper online tracking, enterprise data gathering, and ad network targeting, privacy is not dead. Users today have not surrendered privacy in order to take benefit from technology and online services.

A recent New York Times article on online user privacy points out that:

People around the world are thrilled by the ease and convenience of their smartphones and Internet services, but they aren’t willing to trade their privacy to get more of it.

That is the top-line finding of a new study of 15,000 consumers in 15 countries. The privacy paradox was surfaced most directly in one question: Would you be willing to trade some privacy for greater convenience and ease? Worldwide, 51 percent replied no, and 27 percent said yes. There were country-by-country differences, but there was a consistency to the results, especially in the developed nations…

When asked to name the leading threats to online privacy in the future, 51 percent of the global panel of consumers picked “businesses using, trading or selling my personal data for financial gain without my knowledge or benefit..." The survey seems to present a grim outlook for data-driven online businesses and marketers.

Online Advertising is Here to Stay

Within mobile developer networks huge debates continue to take place around the issue of ad-supported vs. paid-for mobile applications. Studies continue to prove that free but ad-supported applications drive significantly more revenue to developers than paid applications with no ads.

Advertising online and in mobile continues to be more lucrative than charging individual users for services. There’s a reason why popular services like Facebook, Gmail, Twitter, LinkedIn, and others remain free. As the popular adage says, “when the service is free, you are the product.”  Government and some key enterprises have begun to respond to the growing demand of the public's demand for greater control over privacy and information security concerns.

SSL-Secured Sites Rewarded by Google with Search Rank Boost

In support of stronger online privacy practices, Google announced that using an always-on SSL Certificate to secure any data online is now a ranking factor in its search results. Using HTTPS everywhere online is critical to ensuring that user data, searches, and browsing habits are secure, and is also key to addressing users’ privacy concerns.

Using Always-On SSL (HTTPS on every page of a website), whether the site is requesting sensitive user details or not, gives online users a constant secured connection with the services they use on the Internet. By keeping a persistent secured HTTPS connection, not only are sensitive logins and financial data secured, but so are online communications and browsing habits.

Keeping a persistent SSL connection means that where users go, what they do, and what they say online can remain secured simply by always having SSL in every online connection.

SSL Protects Cookies and Other Local User Data

Using cookies remains one of the most basic methods of tracking and identifying users online. Sites today need it in order to serve their users, but ensuring proper security of this data that the web depends on is critical to protecting user privacy online.

Cookie data is controlled by the site a user visits. Browsers will follow the instructions the site gives and administrators need to ensure that any data from its site is secured. Always-On SSL is critical to safeguarding users.

Administrators should ensure that their sites and online applications:

  • Limit how much sensitive data cookies are stored locally
  • Prevent subdomains from accessing cookie data to protect against interception
  • Use HTTPS always-on so cookie data is always encrypted
  • Make cookies HttpOnly to prevent javascript from hijacking cookie data

The team at Treehouse makes it easy to secure online cookies with their guide to totally secure cookies.

They point out that securing online sessions can be done in PHP by setting the cookie arguments through the “setcookie” function:

setcookie( name, value, expire, path, domain, secure, httponly); // Open setcookie( 'UserName', 'Bob', 0, '/', '.example', false, false); // Locked Down setcookie( 'UserName', 'Bob', 0, '/forums', 'www.example.com', isset($_SERVER["HTTPS"]), true);

Changing cookie values for a session cookie can be done through the “session_set_cookie_params” function:

session_set_cookie_params($expire, $path, $domain, $secure, true); // Open session_set_cookie_params(0, '/', '.example', false, false); // Locked Down session_set_cookie_params('o, /forums', 'www.example.com', isset($_SERVER["HTTPS"]), true)

Ad Targeting is the New Battlefield for Online Privacy

Ad-supported content continued to explode in the age of content marketing. Every user click and keystroke online has the possibility of delivering a user’s personal information to unauthorized third parties and malicious bad actors.

Marketing and advertising isn't evil and there’s a tremendous benefit that users can have online by being able to have personalized offers and services uniquely tailored to them. Product and service providers can enhance the user experience by taking advantage of the technology to market and re-target users online, but security and privacy have to be part of the foundation of building systems to improve the customer experience.

"There needs to be an industry standard for anonymizing and aggregating data. All of the relevant players claim they do this sort of anonymization and aggregation, but the effectiveness of their methods are a black box.

It should be impossible to tie any of this lucrative information to an individual, and in return, apps and sites that ensure this is the case should receive some sort of imprimatur attesting to their responsibility.”

-Ben Thompson, Stratechery.com

Consumers are willing to consent to sharing personal details with their online service providers and benefit from enterprises that can effectively use customer habits and data to deliver the personalized results that users ultimately want.

Rewarding Enterprises that Promote User Trust

The Google rank boost for SSL-secured websites is a first step toward rewarding enterprises that responsibly care for user data. More meaningful steps need to be taken by other organizations to promote security and online trust.

The key to the future of online privacy and the information security debate remains ensuring that critical user data remains safe in the exchange between users and the service providers they trust.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205