‹ Back
Building Trust 8 July 2017

Best Practice: Always On SSL (AOSSL)

Trust and consumer confidence is the foundation upon which the Internet has been built. A core element of that confidence rests on the protection provided by SSL certificates.  SSL/TLS (also referred to as HTTPS and HTTPS everywhere), delivers website and server identity authentication as well as encryption of data in transit. Today, it is estimated that more than 5 million sites are using SSL certificates issued to help protect web sites which collect sensitive information such as logins and credit card numbers.  According to third party research over 30% of site traffic has migrated to HTTPS or AOSSL.

Many organizations use the SSL/TLS protocol to encrypt the authentication process when users log in to a website, but do not encrypt subsequent pages during the user’s session. Unfortunately this intermittent use of SSL protection is not adequate security considering today’s emerging online threats.  

With the rise of Web 2.0 and social networking, people are spending more time online and logged in, and they are communicating much more than just their credit card numbers. Cybercriminals today are targeting consumers using an attack method called sidejacking that takes advantage of consumers visiting unencrypted HTTP web pages after they have logged into a site. Sidejacking allows hackers to intercept cookies (typically used to retain user specific information such as username, password, and session data) when they are transmitted without the protection of SSL encryption.  

There are several software tools written to support sidejacking activities, but none are more infamous than Firesheep. An extension for the Firefox Web browser developed by Eric Butler and released in October 2010, Firesheep allow hackers with no programming skills to easily capture usernames, passwords, browsing history, and other private information from unsuspecting users.

The Internet Society’s Online Trust Alliance (OTA) is calling on the security, business and interactive advertising communities to adopt Always On SSL (AOSSL), the approach of using SSL/TLS across your entire website to protect users with persistent security, from arrival to login to logout. Always On SSL is a proven, practical security measure that should be implemented on all websites where users share or view sensitive information.  

Always On SSL is supported as a best practice by leading industry players including Google, Microsoft, PayPal, Symantec, Facebook and Twitter. Learn their stories in the OTA white paper Protecting Your Website With Always On SSL and resources below.

OTA encourages all websites to consider implementing Always On SSL. It is incumbent on all of us to work together to implement web security best practices to protect consumers from harm.

Always On SSL White Paper

Including case studies from Facebook, Google, PayPal and Twitter.

Resources & Related News

‹ Back

Related articles

2015 Online Trust Audit and Honor Roll
Building Trust1 October 2017

2015 Online Trust Audit and Honor Roll

The 2015 Online Trust Audit includes a composite analysis focusing on three major categories; a company’s data protection, security and...

2016 Honor Roll Methodology
Building Trust15 June 2016

2016 Honor Roll Methodology

The 2016 Online Trust Audit has evolved over the past 8 years and includes a composite analysis focusing on three...

2019 Online Trust Audit Methodology 
Privacy24 September 2019

2019 Online Trust Audit Methodology 

The 2019 Online Trust Audit will represent the 11th independent analysis and benchmark report of the adoption of security standards and responsible privacy...

Join the conversation with Internet Society members around the world