Imagine being told you need a part for your car. There’s no way around it, sooner or later you’re going to have to get it. It’s no big deal though because this part is truly beneficial, it’s good for your car, good for your passengers, and good for traffic. Sure, it slows your car down and makes it a magnet for hurled objects but really, truly, the good outweighs the bad.
This is essentially what website owners are dealing with when it comes to encryption. You have to have it. If users are inputting any kind of data on your sites you can’t go without it. It’s the best way of securing communications between browsers and your web server. If you don’t have it, Google has already started broadcasting to visitors that your site is Not Secure. This is bad for business. Just like successful man in the middle attacks would be if your users get their personal info stolen. No matter how beneficial and necessary encryption is, though, it doesn’t erase those major issues that come along with it.
Here’s what they are, and how to deal with them.
A distributed denial of service attack is one that goes to work with the express intent of causing downtime. Many of them do this by making a target out of the victim website’s server, exhausting resources with the goal of leaving none for actual users trying to connect. This is made much easier by a server already being stressed from its normal operations.
When a user connects to an unencrypted website it’s a simple process: browser says let’s do a thing, server says sounds good, browser says cool, we’re connected. This is the paraphrased version of the standard TCP handshake. Throw encryption into the mix and not only do you need TCP’s three steps but the browser and server also need to agree on how they’re going to encrypt their communications. Then there’s a verification process, and then they need to trade the keys that are going to be used to encode and decode all data exchanged over the course of the connection.
This is a lot more work. It’s a lot more strain on the server. It doesn’t take much for a DDoS attacker to take advantage of this and nudge a target server over the edge. Attackers are a clever bunch so this has not gone unnoticed by them. That “s” on the end of your https:// has made the bullseye on your back a little bit bigger. Luckily, dealing with the DDoS problem is easy. Leave it to the professionals. With leading cloud-based mitigation you could be laughing at the many DDoS attempts that bounce off your site’s defenses, except that you won’t even know about them because your site will go unaffected.
If you know anything about internet users, it’s that when they want something now, they want it NOW. That’s why you want your website to load as fast as absolutely possible, which is not a speed that’s inherently attainable with encryption.
You read about the difference between a standard TCP handshake and the encrypted connection handshake above. Where the standard TCP handshake takes one round trip from browser to server, the encrypted handshake requires three. This means the encrypted handshake takes roughly three times as long to accomplish, which also means impatient internet users have three times as long to get annoyed.
The trade-off of secured communications is well worth it but try telling that to a bunch of millennials. Instead of wasting your breath, get a Content Delivery Network or CDN instead. A CDN redirects users to the cache server closest to them so the time it takes for connections to be made and pages and content to be loaded is cut way down. There are plenty of other benefits to a CDN, like built-in load balancing and content optimization, but increased page load time is the main one when it comes to encryption, and the potential for included DDoS protection is the second-biggest. Choose your provider wisely.
The good news is that you’re done hearing about how encryption can take a toll on your web server. The bad news is that you’re about to get the low-down on how it’s making life harder for your security solutions.
Cybercriminals are encrypting attack traffic to hide it amongst legitimate encrypted traffic, and because encrypted traffic is just as encrypted to security solutions as it is to anyone who might be trying to eavesdrop on communications between browsers and servers, it’s very easy for encrypted attack traffic to slip past your defenses and do its dirty work.
That said, we’re back to good news: you know that cloud-based DDoS mitigation you need to get to protect your hard-working server? Leading providers should be able to provide you with granular traffic analysis that decrypts and then re-encrypts all traffic to filter malicious activity. When speaking with a potential provider, ask if they offer this. While you’re at it, ask if they have a time to mitigation under 10 seconds.
Benefiting from benefits
There’s no denying that encryption is a bit of a hassle. However, you’re one or two steps away from having all the benefits of encryption, all the benefits of leading DDoS protection, and all the benefits of a CDN. Altogether this represents a major website upgrade, one your users will appreciate, and Google will give you a bump in the rankings for. Not sure what you can do about your car, though.