Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Website - Getting Started

Overview

Website security is gaining significantly more attention as Google and other browsers have begun forcing SSL adoption.  This guide covers the basics of SSL and the impact SSL Certificates (or lack thereof) have on the Member/Visitor experience on your Club’s Website.

SSL stands for Secure Socket Layer, which is the defacto method used to encrypt sensitive data such as usernames, passwords, and other private information that is passed back and forth over the Internet between your website, visitors’ browser(s), and your club’s website server.  An SSL Certificate provides visible assurance to visitors of the site, that the site is legitimate, and that data encryption is taking place to ensure their sensitive data is protected.  Once the site has SSL, an “s” is placed after the http:// of the website’s address - i.e. https://www.anyclub.com.


Use Case(s)

    • Club Web address is http://www.yourclub.com (missing the “s” after the http)

    • Club Members are calling the Club indicating they are receiving a “Connection is Not Secure” message when visiting the Club’s Website.

    • When entering sensitive data into your Website, Club Members are receiving messages such as “This connection is not secure.  Logins entered here could be compromised.”


Content


SSL Protection

Clubessential offers Basic and Advanced SSL Protection Options. 


Basic 

Basic Protection has the padlock in front of your domain (see screenshot below). Additionally, Basic covers just Domain Validation (DV), meaning just the domain ownership is checked prior to issuing the certificate.

 

Advanced

Advanced Protection includes the padlock as well as your club’s official organizational name in front of the domain, thus delivering a higher level of assurance to your users (see screenshot below).


Advanced Protection covers Extended Validation (EV), meaning that in addition to domain ownership, business registration is also checked prior to issuing the certificate.  For more information and to choose the type of SSL Certificate you would like please click here.

Please Note: The Club’s Account Manager can provide guidance and assistance in the process.

What will an SSL Certificate Provide?

Fostering a safe and secure environment for all Club activity is of the utmost importance. Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network. An SSL certificate will help verify the Club’s Identity and will then encrypt any data that flows to and from the site, keeping it secure from outside users.

Please Note: For increased online security, most browsers are making sure users are educated on the security of the sites they visit. Find more information on this transition to a safer online environment, below.

Secured by SSL vs. Not Secured by SSL: A Quick Indicator

When you connect to a secure website, the URL begins with "https" instead of "http", like in the example below. The "s" means that the website has been secured with an SSL Certificate.



Websites not protected by SSL will display some type of warning in the URL bar, indicating that the "Connection is Not Secure", see the examples from different browsers below:



Browser Security Changes - Warnings

Anyone using Firefox version 52 and up will see warning messages regarding their site security when they enter their password into the login field or the "Password" field in the member profiles as seen above.

Similarly, Google Chrome announced that beginning in October 2017, anyone using Google Chrome version 62 and up to view a website that's not protected by SSL, will also begin seeing "Not Secure" warning messages when entering sensitive information into online fields like password or credit card fields, or email address fields on prospective member inquiry forms. For more information from Google on this change, please see article here. 


FAQs

Q: Can’t we just purchase our own SSL Certificate?
A: We handle it for you. There’s no need for you to purchase your own SSL Certificate. Even if you did purchase your own certificate, there’s still back and forth work needed between your club and Clubessential to set up and maintain the SSL.

Q: I’ve seen some free SSL Certificates. Why would I pay Clubessential for SSL?
A: Most of the free SSL Certificates are actually free trials which are only valid for a short period of time. Also, many web hosts that offer “free” SSL are actually bundling it with their other products and services, which you’ll still have to pay for.

Q: Why wasn’t SSL included with our website to begin with?
A: Securing your website with SSL has not always been as pressing of a matter as it is right now. To be frank, Google is forcing our hand.

Google announced that beginning in October 2017, anyone using Google Chrome version 62 to view a website that's not protected by SSL, will also begin seeing "Not Secure" warning messages when entering sensitive information into online fields like password or credit card fields, or email fields on forms.

Imagine if your members enter their passwords on the login screen of your website and receive the following message, “This site is NOT SECURE.” They're going to be concerned, and they're going to call you to see if the website is secure.

Furthermore, let’s say a potential member fills out a membership interest form on your public website… she’ll likely get the not secure warning too. That will lower your conversions and scare off some potential members.

Q: We secured our main website domain of www.site.com with SSL. We also own the domain www.site.org which redirects to www.site.com. Do we need to secure www.site.org too?

A: Yes, you need to secure your redirect domains or else users will be presented with a warning/error page. The screenshot below illustrates the following example: The website visitor is using Chrome. He enters a domain (which we've blurred to protect the client's identity) in the browser bar and hits Enter to go to that website. The domain he entered is actually a redirect domain that goes to the main website, which has a different domain. The main website is secured by SSL, but the redirect domain is not.

According to this Comodo article, this warning message is due to a Name Mismatch Error.

Q: Have you ever been hacked? 
A: No hacker has ever gained access to the Clubessential servers.

Q: What do you do if you suspect you are being hacked? What is your Incident Response Policy?
A: Clubessential's first response to a major attack would be to work with its security partners to immediately block the attack. Clubessential would block the intruder at the firewall if that can be done via IP address or type of protocol being used. Depending on the type of attack Clubessential might also pursue immediate legal action. Clubessential is constantly being scanned, crawled and attacked. Our email servers are attacked on a daily basis via spam. Dictionary attacks are common and we have been through several DDoS attacks. Our firewall is strictly controlled to open only needed ports and both our firewall and Barracuda server utilize intelligent algorithms to detect and block attacks. Clubessential has also installed enough web servers to handle load spikes in the event we are attacked or have usage spikes. In the event of an attack Clubessential would immediately notify any affected clients.

Q: How often do you monitor for network intruders?
A: Clubessential's production network is constantly being monitored by Level3 and Zyedge. The internal office network is constantly being monitored by Zyedge (a company that specializes in network security and support). Clubessential also utilizes advanced security technology from Cisco, including Intrusion Detection.

Downloadable Guide

 

 

 

 

 

 

  • No labels