The Privacy Guarantor has fined a water services company heavily because their website lacked proper security measures like SSL/TLS.
According to the Privacy Guarantor, the company didn’t follow crucial security rules when designing and creating their website, especially in assessing the risks related to GDPR violations.
As a result, the Privacy Guarantor imposed a 15,000 euro fine, consistent with their previous decisions. In their view, any time a user interacts with a website to share personal information, it should be safeguarded with SSL encryption.
What are SSL certificates
SSL stands for “Secure Sockets Layer,” and it’s a protocol that ensures information is transmitted securely and encrypted. When a website has an SSL certificate, it means that the data exchanged between the website and users is protected and encrypted, safeguarding any information users enter on the site.
An SSL certificate also verifies the identity of a website, ensuring that the connection is secure and protected.
Difference between SSL and TLS
SSL, or “Secure Sockets Layer,” has been around for about 25 years. Over time, different versions of the SSL protocol were released, but they all had security issues at some point. Eventually, a newer version called TLS, which stands for “Transport Layer Security,” was introduced and is still in use today.
Interestingly, even though we have this new and improved version called TLS, people still use the old term SSL to talk about the updated protocol.
How SSL Certificates work
SSL certificates are like security guards for information exchanged between users and websites or two systems. They make sure that if someone tries to sneak a look while this information is traveling, it’s all scrambled and unreadable. This includes sensitive stuff like names, addresses, passwords, and credit card numbers.
Imagine two devices, like a website and a server, trying to talk to each other over the internet. They want to share a webpage or maybe confirm a person’s identity with a username and password. Here’s how the protection process works:
- They start talking, and one device asks the other to prove it’s the right one to talk to.
- The second device responds by showing its SSL certificate, like a digital ID card.
- The first device checks if the certificate is real, signed properly, and comes from a trusted source.
- Once everything checks out, they both agree to have a secret, encrypted conversation.
- Now, they can share information like your browser or server and the web server, but it’s all hidden from anyone trying to snoop.
So, in simple terms, SSL certificates make sure your online conversations are like secret coded messages that only the right people can understand.
This whole process is sometimes called the “SSL handshake.” Even though it might sound like it takes a while, it really happens in just a few milliseconds.
Difference between SSL and HTTPS
When a website has an SSL certificate, its web address starts with “HTTPS” instead of just “HTTP.” The “S” stands for secure. If a site doesn’t have an SSL certificate, it uses the regular “HTTP.” You can also see a padlock icon next to the web address, signaling that the site is safe and trustworthy for visitors.
For businesses, having an HTTPS web address means having an SSL certificate. HTTPS is like the safer version of HTTP. It encrypts the traffic between your computer and the website, making it more secure. If a website only uses HTTP without an SSL certificate, most browsers label it as “unsafe.” This tells users that the site might not be trustworthy and encourages companies to switch to HTTPS.
So, the main difference between HTTP and HTTPS is that the latter is more secure, thanks to SSL encryption.
Verify an SSL certificate
If you want to see the details of an SSL certificate, just click on the padlock icon in your browser’s address bar.
SSL certificate details typically show:
- The name of the website where the certificate is used.
- The person, organization, or device the certificate was issued to.
- The authority that issued the certificate.
- The digital signature from the Certification Authority.
- Any related subdomains.
- When the certificate was issued.
- When it expires.
- The public key (but not the private key).
How to check your SSL certificate
We suggest using the free SSL checker tool from Qualys SSL Labs. It’s a dependable tool, and we use it for all our clients to check their certificates.
To make sure an SSL certificate is valid and a website is secure, just visit the SSL check tool page. Type the website’s domain in the Hostname field and click “Submit.” This tool will then verify everything for you.
Why it’s important to use SSL
To ensure a website is secure, one of the easiest and most effective solutions is using SSL certificates. SSL certificates work by using encrypted algorithms to secure communication between the user’s device and the web server.
How to tell if your site uses an SSL certificate
It’s easy to check if a website has an SSL certificate. If it does, you’ll see “HTTPS” at the beginning of the site address. Also, your browser will show a “padlock icon” in the toolbar, indicating that encryption measures are in place.
Which certificate to choose to avoid incurring sanctions from the Privacy Guarantor
You have three options when choosing SSL certificates:
Domain Validated (DV): These certificates verify the domain, making them suitable for single internet domains. They work well for sites with login areas or forms that handle sensitive data. Only the domain owner can request these certificates.
Organization Validated (OV): These certificates are for organizations and are handy for e-commerce and web portals. They verify and certify that a company owns the site. Personnel authorized to represent the company can request these certificates.
Extended Validated (EV): These certificates offer high security and reliability, designed for large companies. Identity verification is thorough, usually done through email or phone.
The authority emphasized that the size of the fine is because a large number of users (13 thousand) were affected, and the company didn’t initiate an investigation despite receiving two previous reports from the complainant.
However, the authority still insists on the urgent need to implement technical measures for safeguarding users’ personal data. They recommend conducting regular reviews to ensure ongoing protection.