What is SSL?
SSL stands for “Secure Sockets Layer” and what SSL certificates do is certify that there is a secure transmission of data between a web server and a browser. Pretty much any website needs an SSL certificate if it collects any sort of data, whether it’s credit card information or just an e-mail address. Here we will explain what SSL certificates do and how to use one, both as a website owner and a consumer.
What SSL Certificates Do and What Does That Really Mean?
A SSL Certificate ensures that information and materials that you send over the internet is both encrypted, meaning turned into code that can only be decrypted by a certified party, and verified that it is going to the intended recipient. This is particularly important for e-commerce sites handling sensitive data like credit card information and addresses. But any website that collects any kind of data should consider a SSL certificate in order to protect it.
By encrypting data, it ensures that no one can intercept the transaction and snag sensitive data. By verifying the recipient, it ensures that no one is posing as a credit card company for example and collecting information not intended for them.
GlobalSign has a pretty clear explainer video that explores how SSL works and about SSL certificates:
Who Needs a SSL Certificate?
Pretty much any website owner should consider one, especially since basic SSL certificates are now available for free from services like Let’s Encrypt or Cloudflare CDN account holders. Any website collecting data must install one or they face the penalty of being passed over for being susceptible.
A SSL certificate is quickly becoming an expected standard. Google’s Chrome browser began displaying a “Not Secure” message as of January 2017 on websites that process sensitive user data without secure connections (Update: December 25, 2017: and Firefox is expected to follow suit soon). The next version of Chrome will reportedly flag websites containing any kind of form and no SSL certificate as “Not Secure”. If that isn’t enough to convince you to hop on the SSL bandwagon, consider recent research by HubSpot that showed “up to 85% of people will not continue browsing if a site is not secure.”
How Do I Know If a Website is Secure?
A website user should check that the website they are browsing is secure before sending information through it by looking for “https” at the beginning of the URL and a lock icon.
If you click the lock icon at the top of your browser window, and you’ll see further information about the verification of this address. The idea is to assure users that you are who you say you are, and that any data sent through the website will be encrypted.
Implications Beyond Security
For a few years already, Google has included HTTPS as part of its ranking signal, giving more authority (meaning: higher search result rankings) to sites with a SSL certificate. Google cares about trust. That’s why for instance .gov domains will typically rank high in search results because government websites are considered to be trustworthy. What SSL certificates do is build up that trust that this is a legit website and that it’s safe to pass information through it.
Types of SSL Certificates
The different levels of SSL Certificates are based on levels of verification and therefore trust.
Domain Validated (DV) SSLs are the most basic kind and therefore the cheapest. They can be issued and installed in a matter of minutes, as they verify only that the owner actually is the rightful owner of a given domain.
Organization Validated (OV) SSLs validates an organization’s name in addition to their ownership of a given domain, helping to ensure users that they are in fact visiting the official business or organization website they think they are. These usually take a couple of days to issue.
An Extended Validation (EV) SSL is the strongest type of SSL certificate and verifies that domain ownership and business details more thoroughly. It subsequently displays green in the address bar and takes a few days to vet. These are the types of certificates used by financial institutions for example. What EV SSL Certificates do is prove to the end user that the website owner has passed a thorough and globally standardized identity verification process, ensuring that users aren’t being subject to a “phishing” attack.
A Wildcard SSL certificate will cover the domain and subdomains (e.g. https://www.yoursite.com, https://en.yoursite.com, https://blog.yoursite.com).
How to Get a SSL Certificate
You can purchase a SSL certificate from third-party providers such as Symantec, Comodo and GlobalSign. Some hosting providers such as Go Daddy will also offer their own (and may not let you install certificates from third parties). The cost can range anything from $9 to $700 per year, depending on the level of security offered.
Website owners looking for just a minimal level of security can also get started for free with a certificate from the non-profit Internet Security Research Group at Let’s Encrypt.
Why Isn’t My SSL Certificate Working?
Depending on how you got yours, there may or may not be any installation process. Or there may be insecure images that are being called. Debug your SSL Certificate at Why No Padlock?