A Study of how Magento Websites use SSL for HTTPS

Recently, Section studied a random sample of around 330 websites running on Magento Enterprise, the leading eCommerce solution for large businesses.

One of the areas we investigated was security use and use of SSL or TLS certificates per domain. SSL/TLS is an authentication protocol that encrypts web data, leading to the more commonly known HTTPS that is seen in your web browser accompanied by a green lock: this indicates that the webpage you are visiting is using secure communication methods so any data you enter on that page (such as your name or credit card number) is protected.

This is important to understand as incorrectly deployed SSL certificates can leave a website open to attack, and the traffic between a browser and the website open to interception and exploitation.

SSL Labs provide a handy online scanning tool (Qualys) which can investigate the certificate quality on a website and report a rating based on the following:

From the SSL Labs Methodology Overview:

1. We first look at a certificate to verify that it is valid and trusted.
2. We inspect server configuration in three categories:

• Protocol support
• Key exchange support
• Cipher support

3. We combine the category scores into an overall score (expressed as a number between 0 and 100). A zero in any category will push the overall score to zero.
4. We then apply a series of rules (documented in the Changes section) to handle some aspects of server configuration that cannot be expressed via numerical scoring. Most rules will reduce the grade (to A-, B, C, D, E, or F) if they encounter an unwanted feature. Some rules will increase the grade (to A+), to reward exceptional configurations.*

An example of the output SSL Labs gives is as follows.

Magento SSL Results; Ouch!

Only 1% of the Magento sites we tested scored an A+ which is quite staggering.

Even more interesting is that 25% of sites failed and a further 22% recorded “Trust Issues” initially, meaning their certificate was not trusted due to it being expired, not matching the domain name, or another issue. If the trust issues are ignored, then scores can be applied to those sites and were generally around a “B”.

Managing SSL Certificates for HTTPS

Unfortunately, managing an SSL certificate for any website is a regular (and rather mundane) task but one which is absolutely necessary.

As a website owner or engineer, you should be seeking to make sure your certificate is up to date with the latest protocols supported, has the strongest cipher possible, and has a strong key exchange procedure.

Our recommendation is to deploy your SSL certs in a manner which provides for ease of ongoing management. Your cert should be updated and renewed automatically so you don’t have to think about maintaining a high score and keeping your website traffic safe and secure.

Achieve a Higher SSL rating and Get Free SSL Certificates

SSL Labs also provide a useful guide to SSL/TLS deployment best practices which engineers can use to improve SSL certificate management and ensure they are following all the steps to a secure website.

Alternatively, sign up to Section and use our A+ rated certificate management functionality. We provide all customers with free SSL certificates and an automated system that manges the renewal and upkeep of your SSL certificate so you never have to worry. It doesn’t get much easier than that!