Understanding SSL Encryption

The Reason You Should Pay Attention To SSL Certificates

Prior to 2017, the only websites that really cared about SSL Encryption Certificates were sites that took in sensitive information and shopping carts. In 2014, Google started decided to nudge more sites towards SSL, giving a slight boost in rankings to sites that used it. However, the bump wasn't significant and beyond web designers and SEO people, no one was really paying attention. So at the beginning of 2017, Google Chrome began a slow campaign to nudge people toward encryption by penalizing websites by posting Not Secure alerts in the URL (address) bar at the top of the Chrome browser.

This is Google's first version, notice the Not Secure in gray that shows up next to the web address.

Example of Google Chrome's First Warning on No SSL

In January, only web pages (not entire sites) with login fields or credit card fields would show this alert.  But the noose is tightening and in October 2017 Not Secure will now be on any webpage with a form field. That means, if your website has a search box on every page, then the site will show as not secure when people visit any page. Fair or not, that might have some baring as to whether someone stays on your site.  And it doesn't stop there. The ultimate plan from Google is to penalize entire sites regardless of if you have a form or not.

So, what is an SSL Certificate and why is Google Chrome (which is over 50% of the browser market) being so tough on website owners?

SSL Certificate's In a Nutshell

There are plenty of technical articles that can give you all the dry, boring details; but I try to keep things as non-technical and to the point as I can.

Think of an SSL Certificate a great scrambler with a decoding key that the sender and receiver both have, but no one else does.  In a nutshell, when you send data, a key rewrites your message into an almost indecipherable language that can be unscrambled by the key that the person you're sending to has. To make this all work, you have to install an SSL Certificate on your website's hosting server.  Some servers have it automatically and with some, you have to pay extra for it.

Once installed, you should be sending your traffic through https:// instead of http:// and a green lockbox should appear in the address bar. If it doesn't and you get a red slash, it could be that your certificate is not installed properly or you don't have one yet.

Types of SSL Certificates

If you go to buy an SSL Certificate, you'll see a whole range of pricing on them. There are actually 3 different types of SSL Certificates. So what type do you need?

Domain Validation Certificates (DV)

With Google Chrome's push toward universal SSL the industry realized that many people still won't want to pay for certificates, so some companies like Mozilla and Microsoft banded together to come up with Let's Encrypt certificates.  These are free to install and they don't require steps for validation. They are issued by a Certificate Authority (CA) and that authority is Let's Encrypt. To make it simple, you just have to show you have access to the domain (I say simple, but installing an SSL Certificate on your own can be tough sledding; it might be worth the $15 or so to let your hosting company install it).  There is some question as to how trusted these will be in the long run, but for now, they are acceptable. And a domain validation certificate is usually the certificate you'll get for free from some hosting companies.

Organization Validated Certificates (OV)

These might give your customer a little more peace of mind, as there is a process where you have to show that you are the legitimate administrator of the domain name and you have to prove the existance of your company as a legal entity. The certificate itself will actually show your company's ownership.  If you're running an e-commerce website, this is actually the better option over the free certificate. But here is the dirty little secret.  Most of your customers are never going to look at the details of your certificate.  The free certificate puts a green lockbox, the same way this does.  Both will say "Secure" in green in Google Chrome.

What an OV or DV Site Certificate Does in Chrome

Extended Validation Certificates (EV)

Here is where you're going to pay top dollar.  And the reason you pay top dollar is because someone with the certificate authority has to do some leg work. The certificate authority will verify the legal, physical and operational existance of your business. They will verify these records match official legal records. They also do a yearly audit and that you have the right to use the name.  For all of this and the extra expense, you get your business name in place of the word "Secure."  You'll see a lot of banks and large organizations use this. Still, even some of the big dogs don't go this far (including Microsoft).  

Bank of America goes all out with an EV certificate

Side Note: Cisco Systems (who should be know for security, as they make the routers that carry all of this data), doesn't have an SSL Certificate on their main site as of this writing.  But then, Cisco probably isn't worried about their search engine rankings (but maybe they should be concerned about the perceived lack of security between their website and their customers!)

As of July 2017, Cisco Systems does not use SSL Encryption throughout their site.

The Truth About SSL and Security

The SSL Certificate serves one important job. It gets information back and forth to your customer in a scrambled fashion that will allow only them to decode it.  However, while this is referred to as security, it actually would be similar to the idea of locking your front door but leaving all of your windows open for a burglar to come in. You've patched up one spot where intruders could attack your site or data, but this isn't a holistic solution.  In fact, if a site you go to has malware on it, that malware will go through the encryption process with the greatest of ease.

Real website security starts with your hosting company having adequate firewall protection and up to date software. An SSL Certificate is a nice next step, especially if you are sending sensitive information back and forth with your client. And then, if you're using software like WordPress, Magento, Joomla!, etc. on your website, then you should be updating it's software and plugins everytime there is an update.  

If you are using a service like SquareSpace, Wix, etc, where you built your site using their tools, they should have these things handled for you already. But you may need to request the SSL Certificate and it may come with an extra charge.

Do You Need SSL...Really?

You don't have to have SSL.  It is not required by law or anything. However, Google will continue to find ways to punish sites that don't use it.  They are on a mission.  Luckily, they are taking it slow and rolling this out bit by bit.  But there will be a day in the not too distant future where your customers might start seeing this on your website if you don't have one:

What it looks like when you don't use SSL on pages with login forms.

That could be a knock on your reputation.

No Shopping Cart Site Should Be Without It

If you have a log in form or you have a retail shopping cart or take donations on your website, you should definitely have encryption. Any time you are taking in sensitive information (like credit cards or social security numbers), an SSL Certificate is just the right thing to do.  You wouldn't want your sensitive information being hijacked by a hacker as it goes unencrypted across the web, and neither would your customer.  And remember, if you use a content management system like WordPress, you are logging in...and your password is being sent across the Internet freely, the same as putting passwords in emails.   So think about tightening your security sooner rather than later.

Where Do I Start?

Start off by seeing if your host provides the simplist certificates. And hopefully I've helped you make a decision on whether you need a higher level certificate.

You might just try putting https:// in front of your web address, rather than http://. It could be that you already have SSL Encryption, but you're just not using it.  And, once your certificate is installed, you should make sure your site (WordPress and Joomla! have ways to force SSL use) is using it by default. Ask you developer or hosting provider if you need help.

I hope this makes the subject of SSL much more clear.  Security needs to be taken seriously. And while SSL on some sites might seem like overkill, it's still good that Google is thinking ahead and helping us tighten down our security. Even if this is only one link in the chain.  

Share Your Thoughts