Security and SSL Certificates


Quick tutorial on web security...

Most websites in the world are considered not secure, and most don't need to be. The main reason we need secure websites is so that when we type our credit card numbers into a website (to make a purchase, etc), those credit card numbers can't be stolen by someone eavesdropping on the transaction (perhaps via an compromised Wi-Fi network, etc). A little "padlock" icon shown by our browser alerts us to the fact that a web page is "secure". We can also see that by looking at the web address. If it begins with "http" then it is not secure, and if it begins with "https" then it IS secure (note the "s" on the end - "s" stands for "secure"). It is considered unwise to enter credit card details (or other sensitive personal information) into a web page that is not secure. It's also considered unwise to hand your credit card to your waiter in a restaurant if they take it out of sight to process your bill - but people seem to do that without a second thought...


A lesser known reason for securing a website would be to stop hackers from stealing your username and password by somehow eavesdropping on your website connection while you're logging in. This is relevant to any website that you log into that contains personal information about yourself (such as Facebook).


Google, Firefox and other browser manufacturere are aware of this danger (of course) and are actively trying to make the web more secure in any way they can. To this end, they started explicitly showing a "Not secure" warning on any website that is not secure and that asks for either credit card details or login details. See the following announcement...


         https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html


Your HarmonySite is one such website, of course. Personal details about your members are stored in our database, and it's possible that one of your members could one day log into your HarmonySite on (say) a Wi-Fi network that has been compromised by hackers, and then those hackers would be also able to log into your HarmonySite and access that member's personal details, as well as the internal documents of your organisation.


The standard way of securing a website against this type of breach is to purchase an "SSL Certificate" for the website. It is the presence or absence of this SSL certificate that determines whether your browsers shows a padlock icon or not, and whether the address begins with "http" or "https". SSL certificates are available from a variety of vendors, and can cost as much as $1000 per year. Our own company, Virtual Creations, typically sells SSL certificates for $90 per year.


Our Offer

But we consider this too expensive for a non-profit organisation such as yours, so we are making available a special type of SSL certificate for NO ANNUAL CHARGE - simply a one-time installation fee of $30 (plus GST for Australian customers). This special type of certificate fully secures your website, but cannot provide information about your organisation (like most SSL certificates do). We create them ourselves, internally, rather than have them issued by a central authority - which is why we can offer them for no annual charge.


Please let us know if you would like me to install one of these SSL certificates on your HarmonySite.


Notes:

  • This is absolutely not a requirement, merely a recommendation. Not even a strong recommendation. We're not aware of a single incident where a member of a group that uses HarmonySite has logged into their HarmonySite on a compromised network and had their login details stolen. This is a very rare occurrence, but it is possible.
  • We've all heard of cases in the news where some large online service has had their servers/databases compromised by hackers, where 14 million credit card numbers were stolen, or 30 million passwords, etc, etc. This help guide describes a completely different kind of security issue. Getting an SSL certificate for your site will notprevent that kind of theft. Only the security of our servers and our own internal security protocols will prevent that. It is not possible for us at HarmonySite (or any online service) to guarantee that this can never happen to our servers (no system is unhackable), but we employ all "best practices" security protocols within our organisation. Hackers have definitely attempted to breach our security on many occasions, but have never succeeded.
  • For those of you that already sell merchandise, tickets or memberships via your HarmonySite, and accept credit cards as one of your payment methods, and do not yet have an SSL certificate, you may be wondering whether you're compromising the security of your customers' credit card numbers. Rest assured you are not. The payment gateway company we use for credit card transactions (Stripe) provides its own SSL certificate that's not visible to you, us or any casual observer. The page where your customers enter their credit card details is not secure, but every aspect of the transaction is fully secure. Yes, that sounds contradictory. If you don't understand how that's possible, contact us and we'll explain it to you.
  • While we're on the subject of security, please know that credit card numbers are never stored in our database, and passwords are stored using industrial grade encryption (no "plain text" passwords).
  • Having an SSL certificate also (marginally) helps your website have a higher ranking in the Google search results.