Implementing SSL security is one of the most important things you can do for an e-commerce website that performs financial transactions or collects any type of user data. If sensitive information is being exchanged in any form, you should have encryption in place. Deciding to use SSL, however, is only the first step. If it is not implemented correctly, it can be ineffective. The following are some common mistakes made in SSL certificate implementation.
Self-signed certificates – While this might be acceptable for a control panel or other tool that only you use, you should not expect your customers to trust your website with a self-signed certificate. These days, many browsers give pretty nasty errors when they find an untrusted certificate, prompting some users to not even view the site.
Mixing HTTPS and HTTP – When you have a secure website with secure transactional content, it makes no sense for static content, such as images, to not also be secure. This is particularly problematic when using a content delivery network (CDN) to serve static content. You should either get an SSL-enabled account with your CDN service or use locally-stored content for SSL pages. Finally, be sure to use HTTPS in all link URLs on your secure pages.
Untrusted certificate authority – It does you no good to purchase an SSL certificate if web browsers are going to still view it as potentially unsecured. You should be skeptical of companies selling certificates at bargain basement prices. Every major web browser (Firefox, IE, Chrome, Safari, Opera, mobile browsers, etc.) and almost every minor one should support the certificate authority you use. Do your homework, and if you have any reason to doubt, look elsewhere.
When used correctly, SSL can be a valuable tool in keeping your customers’ data and transactions safe. By avoiding these pitfalls, you should be able to keep your e-commerce website secure.