When you’re surfing the internet have you noticed that some sites have http:// before their domain name and others have https://? Have you wondered why there are these two different forms?
Until a couple of years ago, we only used to see https on large sites, but after Google mentioned it might be a ranking signal we see many more sites with the https prefix.
HTTP is short for Hyper Text Transfer Protocol. It’s the protocol that allows you to communicate with websites via your browser. A website with the HTTP prefix means it’s unsecured and someone can spy on your browsers interchanges with the website.
HTTPS is short for Hyper Text Transfer Protocol Secure. This means the information between you and the website is encrypted. This provides protection when you transmit personal or financial information like your social security number or credit card details. You should never enter any sensitive data without checking a website begins with HTTPS.
In this article, I will explain what SSL is, how it works and whether you need it for your website.
What Is SSL Or An SSL Certificate?
SSL (Secure Sockets Layer) was developed by Netscape in 1994, due to concern over internet security. It’s a process that involves encrypting and decrypting data between a website visitor and the server.
An SSL certificate has two functions.
- Encryption – it puts into a secret code what is sent from your computer to another
- Identification – makes sure the computer or server your browser is talking to is the one you think it is
SSL is a global security technology that allows encrypted communication between a browser and a web server.
I’m not a technically minded person and I’m not into coding but I wanted a little basic information about how it all works. What I discovered is that there are 5 steps in the encryption process, explained below as simply as possible.
- First, your computer or browser connects to a website that is secured with SSL.
- The server sends a copy of the site’s SSL certificate to your browser.
- The browser checks if the certificate is valid. Browsers have built-in functionality for dealing with SSL certificates. They have pre-installed root certificates from the Certificate Authorities. They check the certificate sent from the server against the pre-installed version. If the certificate is good, your computer will then say to the server they can start encrypting.
- The server replies with a digitally signed acknowledgment to start an encrypted session.
- Now all communications between your browser and the server will be encrypted.
The video below gives a good, simple explanation.
Do I Need An SSL Certificate For My Website?
It depends on what your website attempts to achieve. An SSL certificate will keep any communications between a visitor and your website private. Also, it will reassure visitors and will build trust to give them the confidence to give personal data.
If you want your visitors to fill out forms with personal information, give any confidential data or their credit card details you will need an SSL Certificate.
A site that doesn’t need to collect any data wouldn’t have needed an SSL certificate in the past. However, as Google is giving sites with an SSL certificate a boost in rankings, the majority of sites will probably have certificates in the future.
Does SSL Really Make My Site More Trustworthy?
An SSL certificate contains verified information about your website. With the interactions between the browser and the server, a visitor can be sure they are dealing with your website.
If the closed padlock is clicked you can see that the certificate is valid, the connection is secure and all the resources used on the page are secure.
On a site that is not secure if you click on the “i” next to the URL you will get a warning that the site is not secure. Although the site might not ask you for any sensitive data this could be slightly off-putting to someone not familiar with this.
Pros And Cons Of Using SSL
- Trust – the green padlock or https indicates that you take security seriously and will give your visitors added confidence.
- Having an SSL certificate is part of the PCI (Payment Card Industry) compliance. If you are an e-commerce site you will need this.
- Verifies the website’s identity – an SSL certificate makes sure you are receiving data from the expected domain.
- Data encrypted – this makes it much harder for anyone to hijack your data.
- SEO – Google has made SSL a ranking signal and will rank sites with a certificate a little higher. This is the main reason many blogs and websites are now installing SSL certificates. The graph below indicates that nearly 50% of sites loaded by Firefox are using SSL.
- Can protect sites from phishing scams. These scams try to imitate the true websites but without an SSL certificate, they can’t make a completely flawless copy.
- Cost – this might be a problem for larger e-commerce sites that need a high level of security. But can we really put a price on our customer’s security? For most websites, there are very affordable or even free options.
- No guarantee of 100% protection – any program written by humans is liable to have some faults. In 2012, a vulnerable version of Open SSL which is widely used was introduced and wasn’t corrected until 2014, two years later!
- Installation – this might be a problem for many people. Some hosting providers or certificate authorities provide guides and some offer a paid service to do it for you.
- Mixed content – although a site has a valid SSL certificate your browser might issue a warning that the site isn’t secure. This is caused by using content from different servers. The HTML for your page might be loaded from a secure https connection but other resources for your page such as videos, images, CSS files might be loaded from an insecure http server. This can be off-putting for visitors who don’t understand what this means. Any mixed content should be corrected, this article from Google may help you.
- Causes performance issues with a website – this might be true but in reality the process of encrypting and decrypting adds just a few milliseconds to a website’s loading time.
Where To Buy An SSL Certificate?
SSL certificates are available through many Certificate Authorities (CA) or resellers.
Some of the best-known Certificate Authorities are:
And some well-known resellers are:
- The SSL Store
Many hosting providers also sell third-party SSL certificates and some even offer free certificates.
If you buy cheap or opt for free SSL certificates, it’s always worth doing a quick check on the Certificate Authorities trustworthiness. Recently two Chinese CAs, WoSign, and StartCom, have been distrusted by Mozilla and Google. Their root certificates will probably be removed from the browsers in the future. This means that any sites using these authorities certificates will have to find alternative CAs to replace their SSL certificates.
My SSL certificate was supplied free and installed with just a click of a switch (as you can see below) on the SiteRubix platform at Wealthy Affiliate. I know the certificate can be obtained for free from letsencrypt.org but having this easy install system is really advantageous. Most hosting providers charge for this service.
Different Types Of SSL Certificates
There are 3 main types of SSL certificates that provide different levels of authentication.
- Extended validated SSL certificate (EV SSL)
- Organization validated SSL Certificate (OV SSL)
- Domain validated SSL Certificate (DV SSL)
Extended validated SSL certificate
The Certificate Authorities check the right of the applicant to use a specific domain name and also carries out a thorough examination of the company or organization. This strict examination follows guidelines set by the SSL certification industry’s governing consortium. It takes up to 10 days to issue an EV SSL certificate.
This can be used for any website but particularly for websites that will be receiving credit card details or other confidential data. Sites that use these certificates would be banking, insurance or e-commerce. These certificates are only available to organizations and businesses, individuals can’t obtain these certificates.
Organization validated SSL Certificate
This certificate requires less validation than the EV SSL certificates. They provide basic encryption and verification of ownership of the domain. The CA will check some details (like name and address) of the website owner. It takes a few hours to a few days to receive this certificate.
These certificates are used by governments, corporations or other businesses that want to give a little more confidence to their visitors. This should be the minimum for an e-commerce site.
Individuals may have difficulty obtaining these certificates. They will have to supply a copy of a valid driver’s license or passport and a recent major utility bill (i.e. power bill, water bill, etc.) or bank statement.
Domain validated SSL Certificate
These are the most common SSL certificates. As the name suggests they are verified using just the domain name. The Certificate Authority might just send a confirmation email to the address listed in the domain’s WHOIS record. Alternatively, the CA might provide you with a verification file to be placed on your site.
It may take a few minutes or a few hours to receive the certificate and is the cheapest kind of SSL certificate. Ideal for sites where security is not a major concern.
In addition to these 3 types of certificates are SSL certificates based on the number of domains or subdomains you own:
Wildcard SSL Certificate
With a wildcard certificate, you can protect multiple subdomains with one certificate. This will save money and the hassle of managing different certificates.
Multi-domain or SAN (Subject Alternative Name) Certificate
You can use this certificate to secure different domains and subdomains using just one certificate. Again this will save money and reduce time spent managing certificates.
How Will Visitors To My Site Know I Have An SSL Certificate?
There are four visual indications that your website has an SSL certificate:
- Padlock to the left of a URL
- https:// URL prefix instead of http://
- A trust seal
- A green address bar (when an EV SSL certificate is issued)
I visited the same site in 3 browsers and as you can see below they all had a different way of showing the site had an SSL certificate. This could lead to some confusion.
I did the same thing for Amazon and results were more conform. At least the 3 browsers showed the padlock.
It’s a shame all the browsers don’t have a consistent way of showing a site has a valid SSL certificate.
The Trust Seal is an added way of building the confidence of your visitors. Supplied by the company that provides your certificate, you can install the trust seal on your whole site or at least on the login and purchasing pages. The security company will give you some HTML code to install on your site where you want the seal to appear.
When someone clicks the seal, normally a new browser window opens and shows the verified domain name, the CA that performed the verification and the date of validity. Below is an example from Symantec.com.
How Much Will It Cost?
There are so many prices it’s difficult to give you a useful indication. But below are a few average prices (from Namecheap) but you can pay a lot more or less depending on the CAs or resellers.
DV SSL certificates $9 per year or DV multi-domains $29 per year
OV SSL certificates $38 per year or OV multi-domains $86 per year
EV SSL certificates $78 per year EV or multi-domains $238 per year
There are also some free options available. For example, Let’s Encrypt is a free, non-profit Certificate Authority but their certificates are only valid for 90 days. Which means you will have to renew your certificates quite often or it can be done automatically. They only offer Domain Validation SSL certificates.
As of January 2017, Let’s Encrypt was supporting 20,000,000 SSL certificates and some days they have issued more than 1,000,000 certificates!
Some Certificate Authorities offer free trials of DV certificates for limited periods such as 30, 60 or 90 days. After the trial period, you will have to buy a certificate to keep your site secure.
Should You Care?
If you run an e-commerce store, collect sensitive data, email addresses or even to protect passwords, you should have some form of SSL installed. Without an SSL certificate, you won’t be able to accept credit cards, users won’t enter any personal details and your passwords aren’t safe. Therefore, you need an SSL certificate.
For other sites such as simple blogs, it might seem less important. However, with the search engines including SSL as a ranking factor and the browsers giving your visitors the impression your website without SSL might be insecure, it’s time to install SSL on your site. This will also tell your visitors you take their security seriously.
You can get a domain validated certificate very cheaply or for free, so there’s no reason not to use SSL on your website.
I hope you now know a little more about SSL certificates and have decided if you need one for your site or not. If you have any questions, comments or experience about securing your site, please let me know in the comment area below.