TLS Certificate Best Practices
Guidelines for Securing Web-based Communications
Use of a digital certificate for security and TLS encryption of web-based communications provides a number of advantages over traditional “clear-text” communications.
- Authentication - proof of the identity of the web site visitors are connecting to
- Information Privacy - assurance that communications between visitors and the web server cannot be viewed by other Internet users
- Information Integrity - assurance that information displayed or entered through the users browser can’t be altered on its way to/from the web server
Not every web server has requirements for the installation of a digital certificate. Servers sharing public information probably don’t need TLS encryption to ensure privacy, although in some cases the server authentication and data integrity benefits may be required.
The role of the server, including the types of processes involved (reading data versus allowing updates) and sensitivity of the information (public data versus confidential) must be analyzed. As the purpose for the server changes over time, the requirements for security should also be revisited. Performance issues must also be considered, as there is a processing cost associated with encryption.
You should evaluate obtaining and installing a digital certificate for your web server if:
- Authentication of some or all users who visit the site is required (e.g., usernames and passwords are used for access to some or all of the site, by some or all of the visitors)
- Visitors need to have the option of verifying that they are connected to the correct ("official") web site
- Sensitive or confidential institutional information is displayed to visitors
- Personal information is viewed and/or submitted by visitors to the site
- Integrity of the information presented or entered is important (i.e., an assurance that nothing can be changed in transit)
- Financial or electronic commerce transactions are executed (i.e., credit cards are accepted for payments)
- Updates (adds, changes, deletes) are being made to institutional information