19 Nov All you need to know about SSL and secured websites
SSL or Secure Sockets Layer is a global certified protocol which creates a secure connection between a client (in most cases a browser of a visitor on your website) and the web server (the Unicorn SSD driven BladeVPS that sits in our cohosted datacentre).
SSL works by using a cryptographic system that uses two keys to encrypt data (a public and private key)
So, in essence with an SSL-secured connection between your website and the browser of your visit we make sure no one is intercepting that data and changing or recording this in any way shape or form. A website with a secure SSL connection sends out garbage data that can not be unencrypted.
Why is this important?
Well, there are 3 main reasons why having a secure SSL connection on your website is important:
European and International legislation on protection of data and keeping the internet safe. Safe internet is good for everyone, thus governments are making sure that SSL is implemented as a standard. It is the ABSOLUTE minimum to have if you want to be in compliance. The EU’s Data Protection Directive states that everyone has the right to the protection of personal data. Companies are required to store, send and receive personal data in a secure way. Websites with payment and/or login modules and even with contact forms are obligated by European law to secure their websites. The law doesn’t require a particular technical solution, but legally you aren’t likely to win the battle once you get sued when you don’t have an SSL certificate.
Third-parties, mainly Google, but also a lot of payment providers (PayPal, Stripe) and browser companies (Chrome, Safari etc.) require you to have an SSL secure website in order to work with them. Google has been pushing SSL since 2014 now and most browsers give pretty scary security warnings if a website is not correctly secured under SSL. Another important advantage is that an SSL certificate positively affects the ranking in Google since August 2014. On December 17th, 2015 Google announced that SSL is becoming an even more important factor for ranking websites. But pay attention: you must meet the criteria set by Google to qualify.
Visitor confidence. I can now list a lot of data on conversion with or without an SSL-secured domain, but trust me. SSL is better
How does it suck monkey balls?
Now, any security feature how well made or necessity is always a downside. Let me list a few.
An SSL-secure website requires a third-party certified license. This enables you to secure one or more domain names or a whole bunch of domains under your name. In any case, it needs to order, installed, maintained and updated. This makes it just another thing to do on a regular basis.
Whatever happens, you lose some speed. It is like opening the front door with your keys, it takes a few seconds, but it immensely increases the security of your house. Same with the SSL-secured website. Every time a connection is made with a client/visitor a few milliseconds are spent doing a digital handshake, making sure the connection is indeed secure and encrypted. Very James Bond, very cool, but still it is a few milliseconds
Cost, besides the open source and thus free certificates of Let’s Encrypt all other major vendors of certificates are paid. COMODO is a big provider of reasonable pricing models, and for a start website with not too many domains or financial transactions Let’s Encrypt works fine until it doesn’t.
Okay, so SSL is needed. What now?
A couple of decisions need to be made. First of all what kind of Certificate are you going to need? Remember that conversion is the most compelling reason to secure your domain, followed quickly by compliance with both third-party requirements and national and international legislation.
So what kind of certificates are there? Or, why is this so complicated?
Well, the main changes to your visitor’s browsing experience are two things. First of all your good old URL will change. From http://yourdomain.extension (example: http://webfriendly.nl) your URL will have additionals for secure: https://yourdomain.extions (https://webfriendly.nl). For various reasons, Google search console sees traffic on the HTTP or https prefix as separate. Make sure to adjust your SEO and Analytics settings when switching to an SSL-secure site!
Second major change for the visitors is the green tab, or green lock or sometimes even the company name in the green bar. And here is the difference between certificates. To keep it straight forward there are 2 types of certificates: DV and EV certificates.
DV certificates secure only ONE url . Let’s encrypt gives these out for free and although a bit of a hassle to install, they work fine and give the user a green lock, no errors and if they click on the green lock, they will find that you have chosen a well-respected provider for your SSL security (Comodo or Let’s encrypt or any other certificate top level issuers)
Sometimes you will see the green bar include the name of a company. Go to https://Paypal.com and you will see a green bar with the name PayPall inc. in there. Paypall has an EV certificate. They applied and received the ability to generate a shitload of DV certificates for every URL they have, but because they applied and received an EV certificate they are allowed to publish certificates under their own name. Research says this will increase the trust of your visitors by up to 10%. Downside. An EV certificate is a bit of an administrative hassle, as you need to get certified which means handing over all kinds of forms and identification papers. Once obtained an EV certificate is valid for 12 months and will cost money. From 100 dollars upwards of several thousand, depending on your needs and choose of certification level.
So should I secure my website with SSL?
Yes, no doubt, but please use either a freelance expert or make sure your hosting provider can install it for you. If you are migrating from a non-SSL domain to an SSL-domain there are some other issues that might pop-up, mainly internal HTTP links that will remain even after you switch. Also because you will be redirecting traffic from http to https it is important to make sure your SEO and Analytics do not suffer.
If you do not know what you are doing, in this case, get professional help for this. I truly believe that this is not worth investing in learning yourself. Any domains hosting at webfriendly.nl are by default secured by at least an open-source DV certificate per domain, but we do advice and install any certificate you desire.