
SSL Encryption Demystified
Website security is one of the most common concerns among people who are launching new websites today, and rightly so. We’ve all heard horror stories about hackers, identity and credit card thieves, adware/malware perpetrators, and other miscreants lurking about on the Internet. Data shows that almost half of all Americans have had their credit card data compromised, and identity theft hit an all-time in 2016. So the first question most entrepreneurs who launch a startup ecommerce site—or any site that collects sensitive information—will ask is: how can I assure my customers that their data is safe?
Enter SSL, which stands for Secure Socket Layer, an encryption technology that was originally developed by Netscape way back in 1994 as a way to secure communications between web browsers and servers. Today, it’s still the industry standard for safeguarding user data including credit card information, social security numbers, usernames, and passwords—and it’s an essential tool when it comes to keeping your customers feeling safe and confident on your site, and establishing trust in your brand. No doubt you’ve seen the little padlock and/or the word “Secure” in your browser window (to the left of the URL) when you’ve accessed some ecommerce websites? That’s SSL at work, letting you know that it’s safe to conduct transactions on the site.
So how do I start using SSL?
The first step in implementing SSL on your site is to install an SSL Certificate, which will enable all transactions between your customer’s browser and your website to be encrypted. Once SSL is enabled, your site will display the little padlock and hackers will be unable to infect your customer’s transactions or steal their personal information. With every page request made by your customer’s browser, the information sent back and forth between browser and server is encrypted, making it impossible for hackers to gain access to the data itself.
Do I have to pay for SSL?
In the past, if you wanted an SSL certificate on your site, you had to pay for it, and it wasn’t always cheap. Some services charged over $100 for a single year of protection. Today, the prices have come down considerably, and there’s even a free option called Let’s Encrypt which is used by an increasing number of websites. In fact, many hosting companies, (Dreamhost, e.g.) offer Let’s Encrypt SSL Certificates for their customers for free, and even provide easy 1-click installation from the admin dashboard. One drawback of this free version is that it currently doesn’t support “wildcard” certificates, which is a way of securing all subdomains (for example, yoursubdomain.yoursite.com,) on a single site certificate. However, Let’s Encrypt recently announced that this will be changing soon, and they will be supporting wildcard certificates starting in January, 2018.
Do I really need SSL if I’m not running an ecommerce site or collecting personal information?
The short answer to this question is… not really. Having said that, however, there are a couple of good reasons you may want to. First and foremost, when a visitor sees that little padlock, it can cement your credibility and trustworthiness in their eyes. Even if they’re not providing sensitive information, a secure site communicates to people that you take your website and its security seriously, and that you care about their safety on the Internet. Another reason to consider using SSL on your site is that it can improve your Google search engine rankings. Back in 2014, Google announced that it would be giving a slight boost to sites that use SSL. It’s not a huge boost — in fact Google said that SSL would provide “less weight than other signals such as high-quality content.” But still, a boost is a boost, and when it comes to SEO, any boost is an advantage.
Are there any downsides to SSL?
Once again, the answer to this question is… not really. However, one possible pitfall that you may wish to consider before pulling the trigger on an SSL Certificate is a situation where you have what’s called “mixed content” on one of your pages. Mixed content is when you have unsecured content, for example an ad from a non-secure adserver or a media player embedded in an iframe, called onto a secure HTML page. When this happens, the unsecured content will simply not appear on the page. While this is annoying to be sure, it’s not the end of the world, and there are solutions available. The first, and probably best, solution is to simply keep all the content on your site secure. If this isn’t feasible in your situation, and you’re running your site on the WordPress platform, there are plugins available that will help. One such plugin, Easy HTTPS Redirection, allows you to determine which pages use SSL, leaving other pages open to using the normal, non-secure, HTTP protocol. If you’re running your site on a non-WordPress platform, this can still be accomplished by having your webmaster implement automatic https rewrites.
Whether or not you use SSL on your site is entirely up to you, but for sites that collect personal user data, we consider it to be a must-have, and always include it as an option in our design and development projects. Even if you don’t deal with customer data, there’s very little downside to using SSL, and it can leave your site’s visitors with a feeling of confidence and trust in your brand, and trust is an essential component of any business.
Filed under: Website Security