Move Your Firm to Web Encryption

Law firm Web sites can be more secure and offer clients a greater degree of comfort that their interactions are protected. Security and encryption are hot topics as the scales fall from digital eyes (and sometimes are put back again). Some recent developments in the way Web sites can secure their interactions make it even easier for law firms to have secure Web sites.


I’ve touched on using https yourself when sending or receiving client information, or banking, or engaging in other online activities. This slight change in a Web site’s URL – from http:// to https:// – means that the information you send and receive with that Web site is encrypted. The s indicates the site has an encryption certificate, that the site is legitimate (it is what it purports to be), and information about how the connection is secured.

You can see this information by clicking on the small lock symbol in your Web browser when you are connected to an https site. The lock is at the start of the URL in Firefox and Chrome, at the end of the URL in Internet Explorer.


If you visit a site that has https:// in its URL but there is a problem with the certificate, your Web browser will most likely show you a warning, like this example from Internet Explorer.


Law Firms Can Use SSL Too

There is no reason law firms can’t use https for their Web sites. If your firm has any kind of information intake on its site, you have a good use case for turning on encryption. There have been obstacles, including the perceived necessity, to doing so. For one, there was a concern that using https would slow down your Web site. There was also the cost.

There has been a shift in how Web encryption is viewed in the last few years. It’s not just about operational security any longer or for sites handling financial transactions. Google even looks at it when considering your site’s rank in its search results.

Two developments I’ve been watching have been the drop in the cost of having a certificate and the ease of implementation. The first is a bit of a price war. John McAfee has created a company whose sole purpose is to sell certificates at a lower price. A $16 certificate can lower the bar to your firm using encryption on its site. While the Black Cert certificates are inexpensive, generally available certificates aren’t much more. However, the lowered price may be enough to remove the cost obstacle from your path to encrypting your law firm Web site.

The Electronic Frontier Foundation’s Let’s Encrypt effort is the other. It’s a totally free certificate project that enables you to self-serve – not self-sign – to obtain a certificate. You download the app – currently in beta – and run it on your own Web server. It walks you through the process of installing the certificate.

Obtaining a free or low cost certificate has never been easier. However, installing your own isn’t for the faint of heart. And if you have a hosted Web site, where someone else manages your hardware, there may be additional costs to have them import your certificate. For example, my host will sell me a certificate for $82. If I bring my own, I need to add a service to my account ($30 a year) and pay a one-time import fee ($30). There may also be steps you will need to take in order to make your law firm site work. For example, WordPress sites sometimes need a plugin to help make all the content use the secure connection.

At the end of the day, for a law firm, this is quibbling about relatively small amounts of money, probably in the range of $50 – 100 a year. As a greater portion of the Web moves to encryption for traffic that, in the past, was wide open, there are good options for law firms to participate in that shift.


  1. This is a good article that covers some of the basics of SSL for web encryption. There is of course, more to it – for example, SSL does not ensure information residing on the server is secure and encrypted; it only ensures encryption between the browser and the server while sending and receiving information.

    SSL does have the benefit of a fairly good guarantee that you are communicating with the actual site that you believe you are.

    There is another area in which lawyers probably should think about – and that is encrypted email communications with PGP or GPG (the open source implementation of PGP). Considering that all email in plain text can be read, either while it is sitting on a server, or intercepted (which is not that difficult to do) – it’s kind of scary really, what people send via email.

    It’s like sending important or vital information on a postcard without an envelope.

    Additionally, email is easily “spoofed.” If for some reason, I didn’t want you showing up in court tomorrow, I could spoof your law partner’s email address and name, send an email as if it were from the partner to you, and write something like “Court has been cancelled tomorrow.”

    The majority of people don’t look at email headers to see whether or not the email was genuinely sent from the person it claims to have been from.

    PGP/GPG digital signing can help thwart this sort of thing from happening. It does seem complicated at first, to set up, as it requires a public and private key – but it’s not that difficult.

    If you’re interested in learning more, I’m available! :)