Starting in July, Chrome 68 will warn users that an HTTP website is insecure. That means if you do not install SSL (secure sockets layer) to your website, most web browsers will warn users that their connection to the website is not secure. The image below demonstrates how Google’s Chrome browser will provide that warning.1 In this post, we’ll cover the following questions regarding SSL.
- What is SSL?
- How does SSL work?
- Why do you need SSL?
- What are the major benefits of SSL?
- How do you prepare to install SSL to your website?
What is SSL?
It stands for Secure Sockets Layer, and it is a standard security protocol for establishing encrypted connections between a web server and a browser.2 You’ll know if a website is loading over SSL if you see the HTTPS in the prefix of the URL.
Connecting to a website via HTTP is not secure, meaning anyone can intercept the connection and steal or manipulate any data passed through the network from the visitor's browser to the host’s server (i.e your credit card information).2
Connecting to a website via HTTPS is secure, as any data passed over the network is encrypted, making this data useless to anyone without the encryption key.3
How does SSL work?
Secure Sockets Layer leverage server keys to encrypt data. The private key lives on your web server, and never leaves, this is where the security is managed. The public key flys around the open network and encrypts data prior to sending it over the network from a user’s browser. Anything encrypted by the public key can only be decrypted by the matching private key on your web server.
When you see the SSL icon, it means any data you transmit over that connection cannot be intercepted between your device and the server where the private key lives.
Why do I need SSL?
An SSL certificate ensures the security of the data transmitted via your website’s users. BUT WAIT - my website doesn’t sell products, track user data, or collect visitor information, so I don’t need to encrypt the connection, right? WRONG. Just because a user isn’t inputting information via a form fill or checkout, their browsers might be holding confidential information that can be compromised. One example is a browser cookie, which stores everything from visitor preferences to credit card information, can be accessed by a hacker.
What are the major benefits of installing SSL?
Installing an SSL certificate to your website is one of the simplest ways to improve user experience and website security. These security certificates also help improve your website’s visibility for search engines, as well as build trust with users.
1. SSL encrypts data transmitted through your website
Today’s web users know to look for signs of a secure website prior to making a purchase or leaving any personal data. In fact, a study performed by Verasign in 2014 showed how an online hotel booking site saw a 30% increase in conversion rates after featuring an SSL badge on their site.4
2. Boosts SEO and klout with search engines
Although no detail on exactly how much of a boost (likely not much), Google has made it public knowledge that its algorithm will reward websites running SSL. This might mean that your site will rank over a competitor solely because of the secure connection.
3. Increases website conversions
Having a security seal presented on your website has been proven to help increase conversions, likely because this build trust with the user. A recent study by Actual Insights established that security seals improved a respondents trustworthiness in over 75% of cases. Furthermore, 61% of these respondents mentioned cancelling a purchase because of the lack of a security seal.5
4. Improves domain authority
Verification of ownership of the domain name is required in order to obtain the green lock demonstrating the website is protected by SSL. Only someone with domain authority will be provided a publically validated SSL certificate.
How do I prepare to install an SSL certificate to my website?
There are some prerequisites that you’ll want to cover prior to installing your SSL certificate.
First, determine how many domain names you’ll need to cover with your certificate. There are a few different SSL certificate options:
Standard domain certificate: A commercially purchased single domain certificate will cover two primary domains, if you only have one website, you’ll want to use this to cover your www and non www version, i.e. www.pint.com and pint.com.
Wild card certificate: This option will cover your primary domain, and an unlimited number of single level subdomains. For example, a wild card cert for test.com would also cover blog.test.com, and mx.test.com. This would not cover another division, i.e blog.mx.test.com.
Multi-domain SAN certificate: This option would be used for multiple different domains, and deeper domain divisions. (i.e yourdomain.com, blog.yourdomain.com and blog.mx.yourdomain.com)6 You can cover up to 100 different domains with this option.
Make sure you can prove ownership of each domain name that you want to cover:
There are cases where a business might find they do not own or control the domain name they wish to cover with SSL, and you’ll need to in order to validate your domain. This typically happens when a web vendor purchases the client’s domain on behalf of the client. At this point, the domain is owned and managed by the third party vendor, which can sometimes get tricky.
Usually, a vendor will be cooperative and transfer the domain name upon proper request. If you don’t know who owns your domain name, you can usually locate an admin contact information via a WHOIS search, and contact the vendor via that method. You can see the WHOIS information for pint.com below.
What level of validation do I need?
Now that you know what type of certificate you’ll need, and have verified you can prove ownership of your domain names, it’s time to determine what level of validation you’ll want for your certificate. Most likely, you’ll just need basic Domain Validation (DV), unless you’re a major organization or financial institute. Here’s a breakdown of validation levels.
Domain Validation (DV): A certificate will be issued after the requested proves they own the domain name requested to be covered. The quickest and simplest validation.
Extended Validation (EV): Typically used by large organizations wanting to ensure authenticity, this method of validation puts a company’s name in the URL bar along with the fancy green lock, like the PayPal website. Obtaining an EV certificate takes time and money, as you’ll need to take several steps before completion.
Should I use a paid or free SSL certificate?
Now that all your prerequisites are complete, you’ll want to obtain your SSL certificate from a commercial Certificate Authority (CA)6. You might choose to purchase the certificate from a vendor like GoDaddy, the costs for these certificates typically fall in the $100-$200 range, and need to be renewed each year at the same rate.
Unless there are specific reasons for needing to purchase the certificate, PINT recommends using the free certificate option offered by Let’s Encrypt. This new CA issues certificates that are trusted on most web browsers, and so far, these free, auto-renewing certificates have held strong for our clients and internal use.
Ready to install your SSL certificate?
There are a few additional steps in order to finalize your SSL setup. Items like requesting your public and private keys, validating your domain, downloading the certificate, and installing on your web server will also need to be completed.
We won’t cover those items in detail in this blog, but if you have any questions on installing an SSL certificate to your web server, or would like PINT’s assistance with securing your website’s data, please let us know.