Protecting Your Content with SSL
For years most marketers and advertisers have been aware that it is important to make sure web sites that collect credit card or other sensitive data should be protected with Secure Sockets Layer (SSL). However, there is another type of sensitive data to consider as well. Most web sites now are built with some type of content management system (CMS). These systems allow for easy web site maintenance and updates. Every CMS has an administrative area that requires logging in before site edits can be made. Your CMS login should also be protected by SSL to prevent attackers from gaining the ability to change content on your site.
Web users have grown accustomed to looking for https:// in the browser. The “s” assures users that the site is secure. SSL certificates encrypt the data that is sent from a user’s computer back to the server. This is important since the data traverses many different networks on the way to the web server.
As the data moves through a network, it is possible for someone on the network to watch the data flow. And if the data is not encrypted with SSL, an interloper can plainly see passwords and other sensitive information. This technique does not require expert hacking skills. A quick web search reveals many free utilities and browser plug-ins for viewing network traffic, and YouTube videos even show novices how to use the software.
Below is a screen shot of one such program in action, showing data as it flows through the network.
In most cases this information is not sensitive, but we obviously wouldn’t want credit card, account, or social security numbers being divulged.
Why Protect Your Content Management Systems (CMS)
A would-be attacker can easily discern what type of CMS you are using, and then know what data to watch for when an admin login is made.
For example, the image below shows a partial data capture from someone submitting a WordPress administrative login form. Since the site does not use SSL, the username and password combination could easily be found.
Whereas if the data was encrypted in transit, the username and password could not be easily grabbed:
Once an attacker has the administrative site login credentials, they will have almost free reign on your site. For example, the attacker might do something simple like alter page content or post a negative message about your product or service. An attacker could also install malware or other malicious software by uploading it via the CMS document management tool. This could be done to infect your site’s users directly or to make your site part of a larger network that distributes harmful or illegal files. Or if your administrative area gives you access to users’ personally identifiable information (PII) such as name, email, etc. an attacker might directly steal your end customers’ data.
Below are some considerations for protecting your data:
Always use SSL to protect any forms on your web site that collect end-user PII.
Protect your CMS administrative login by forcing users to log in over SSL.
Consider using two-factor authentication, which requires something beyond a username and password to log in to your CMS admin. For example, the system might also send you a code via text message that has to be entered to log in.
If your CMS administrative login is not protected by SSL, don’t log in to your CMS on an open network such as a coffee shop.
Smooth Fusion is a custom web and mobile development company and leading Progress Sitefinity CMS Partner. We create functional, usable, secure, and elegant software while striving to make the process painless for our customers. We offer a set of core services that we've adapted and refined for more than 250 clients over our 18 years in business. We've completed more than 1800 projects across dozens of industries. To talk to us about your project or review our portfolio, send us a message and one of our project managers will reach out to you quickly.