PSA: Sound Shop Owners, Is Your Checkout Secure?

2014/12/23

Old Lock and Key

Do you own a sound effects Web shop? A brief PSA: your checkout may be outdated, and your customers’s information may be at risk. I recently learned about this flaw which affects supposedly secure websites, Internet-wide.

Now, I know that sounds alarming. But before you call your Web developer in a cold sweat, please note that it affects only a subset of Web visitors. In fact, your shop may not be affected at all.

However, we do talk about sharing sound on the Web on this blog from time to time. I know many field recording pros share their sound libraries on their own Web shops. So, I felt it was important to share the info so you update your own site if you are indeed affected.

This post will briefly describe the problem, explain how to check if you’re affected, and help you fix it yourself.

About Web Security

First, some background.

Web shops use documents called SSL certificates to ensure information exchanged between a website and its visitors remains private. This certificate is installed on a Web server. It guarantees a website’s identity. It also encrypts and protects information travelling between the Web shop and the visitor’s computer at home.

That’s a broad description. Web security is a complex process. There’s much more to it, of course. However, for the purpose of this post, the point is that SSL certificates are used to facilitate secure website transmissions.

The Problem

Now, there are different types of SSL certificates. The current problem involves one type of certificate, called SHA–1.

SHA–1 SSL certificates are not ideal. In simple terms, the algorithm they use to maintain a private, encrypted website connection is mathematically weak. That means it’s vulnerable to a third party inserting themselves into the transmission, pretending to be your Web shop, and stealing private financial information. These certificates are growing weaker. As computing power increases every year, these certificates become increasingly easier to hack.

The problem with SHA–1 certificates is well recognized. An updated version, SHA–2, is much better. The problem is that until recently, nothing has been done about it. Millions of websites still use SHA–1 certificates. Many domain registrars still sell these outdated SHA–1 certificates. Why? Well, SHA–1 certificates work, they’re just weak. So, no one has had any incentive to update. That’s why this issue has flown under the radar, so to speak.

The Change and the Risk

Until now. Google has announced that as of this month, they will begin flagging sites that still have an SHA–1 certificate.

At first, visitors to an SHA–1-protected site will see only a small warning in their Web browser. An icon will indicate that the shop isn’t secure. As time goes on, this warning will become more prominent. In 2017, browsers will warn that your Web shop is no longer secure at all.

Note that only visitors using Google’s Chrome browser will see this warning. While all browsers using SHA–1 face the same security risk, right now Internet Explorer, Firefox, and Safari users won’t notice a change (although Microsoft and Firefox will also stop supporting SHA–1 in 2017).

Every shop owner knows that security warnings will scare visitors away. Of course, only some of your visitors will use Chrome and see the errors. However, Chrome is used by up to 51% of desktop users.

You can read more about this issue in this excellent article.

How to Fix SHA–1 Certificates

How can you fix this?

First, if you don’t have an SSL certificate yet and are thinking of buying one, ensure that your vendor is providing SHA–2 SSL certificates. Just email them and ask.

Do you already have an SSL certificate installed on a Web shop? Check to see if it is SHA–1 or SHA–2. Here are two websites that check for you:

Do you have an SHA–1 certificate? You’ll need to update it.

Most vendors will allow you to renew your old certificate free of charge. That will reissue your certificate as a fresh SHA–2 version. The identity and expiration date won’t change. It will simply create a new SSL certificate using SHA–2’s more secure algorithms.

Once the SSL certificate is renewed, ask your host to install it on your Web server. Completing this process requires jumping through a number of hoops. They’re not difficult. They just take some paperwork. Your host will have instructions.

Note that depending on how responsive your host is, this may take anywhere from hours to days. Plan this switch when you’ll have less traffic. The upcoming holidays are a good time. Cover your bases by announcing downtime on Twitter and with a website top banner.

Your updated SHA–2 certificate will make your visitors feel safer, and protect your Web shop from the flaws of the outdated SHA–1 standard.

Learn more about SSL certificates and Web shops in my book, Sharing Sound Online.





To stay in touch, receive free updates by email newsletter or RSS feed.  |  Follow on SoundCloud