You might have noticed that some website addresses start with “http://” and others look like “https://” having snuck an extra “s” into the proceedings. You probably didn’t stop to ponder the reason long, but it’s a pretty important behind the scenes factor that creates an exponentially more secure environment when you’re paying bills or buying something online. In simple terms, that extra “s” indicates that the website you’re on is protected by something called a Secure Sockets Layer or SSL. In the presence of this inoffensive letter, you can be assured that all data that passes between your browser and the web server is encrypted and therefore safe from prying eyes.
The Beginnings of Secure Web
As far back as 1994, people were already beginning to worry about online security and how to foil cyber attacks from hackers. The SSL protocol was first adopted by Netscape and put into service in their popular (at the time) browser, the Navigator. Readers of a certain age should remember it well :) Competitor AOL bought Netscape in 2008 and ceased development of Navigator, but the standard it pioneered did not disappear.
Tweaks to the algorithm have only increased the robustness of SSL protection over the years – currently, it stands at the 3.0 version, which is what most modern web servers support. While not a requirement for websites, we are well on the way to it becoming a web standard.
How secure is SSL? Secure enough for government work it turns out. The Advanced Encryption Standard (AES), the algorithm that powers SSL, was deemed stout enough to carry classified information up to the “SECRET” level. The process uses advanced cryptography to pass and verify authenticated digital certificates between various parts of the Web.
How SSL Works
To put it simply, SSL certificates are the foundation of creating an online environment that is secure for conducting valuable transactions, and everybody (except, probably, hackers) should be in favor of that. We shouldn’t underestimate the importance of this seemingly simple task: the usefulness and appeal of the internet would be crippled if we had no guarantee that the credit card information we just typed into a web form was going to a legitimate business rather than into the clutches of an evil-doer who intended to sell it on the Dark Web.
In its essence, the principle by which an SSL certificate functions is not too complex to describe in several steps:
- When your browser attempts to connect to an SSL protected website, the site is asked to identify itself using a unique cryptographic footprint called a certificate.
- The website’s server responds to the request, delivering a copy of its SSL certificate to your browser for inspection.
- Your browser verifies through a third party that the certificate it just got is authentic. If so, it messages the server, which should send back an acknowledgement so the SSL-encrypted browsing session can begin.
The entire process takes place behind the scenes, during the milliseconds it takes for the website to load. Once the certificate has been verified and authenticated, it’s safe for you to make payments or engage in transactions with the knowledge that no one can pilfer your personal or financial information.
The Future of SSL (and the Web)
In 2014, Google began warning website owners that the day was coming when any website engaged in commerce, and eventually all websites, would need to be protected by an SSL certificate. Beginning on October 1, 2017, the search giant started displaying warning messages to users trying to access a non-SSL website. Google promised that over time, the messages would become more frequent and insistent – so that eventually, a site that does not have a valid SSL certificate will be inaccessible through Google search results.
The ramifications for online entrepreneurs who don’t comply will be enormous – in Google’s eyes, a website without an SSL will become invisible! This means that conducting business online without an SSL certificate will eventually become impossible. All that painstaking search engine optimization you’ve put into achieving a first page rank for critical keywords? It’ll go away. And even for that trickle of traffic that still manages to find your website through other means, ecommerce payment gateways will no longer process transactions without SSL protection.
To sum up, one thing is clear: whether you own an existing website or are planning to create a new one, an SSL certificate should be a must-have on your checklist. Let’s look at the available options:
Free vs. Paid SSL
In the world of SSL, you should be aware that you have the choice of either a free or a paid certificate. While no one would blame you for leaping immediately at the former, it’s a good idea to understand the differences and decide which best fits your situation. While the levels of encryption between free and paid certificates are usually the same, the primary difference is in the authentication authority. For example:
- A free certificate can only verify ownership of a single domain. It can’t trace back to other domains owned by the same business entity.
- A free SSL certificate normally expires every 30-90 days, which requires more upkeep to make sure your coverage doesn’t slip. Paid SSL are usually good for 1-3 years.
There may be other benefits to certain free or paid SSL certificates depending on the provider, but the overall idea of a premium option is easier (usually automatic) installation as well as prolongation – and potentially more trustworthy signature in that green box to the left of the browser’s address bar.
Many web hosts have begun to include SSL certificates in various packages they offer, which can be a sensible choice if you’re creating a new website – this way you’ll be able to manage both the hosting and the certificate from the same admin panel. In case you already have an existing website hosted with a provider that offers SSL certificates, it’s a good idea to install one as soon as possible.
Using Free SSL
If you decide to go the free SSL route (and that’s a perfectly legitimate choice), you might decide to use Let’s Encrypt, one of the leading certificate authorities (CA) and a service that makes installing it on your domain a snap. If you have shell access to your hosting account (those who operate through Plesk or C-Panel probably don’t), all you have to do is run a program called Certbot. It will authenticate your ownership and install the SSL certificate with very little pain.
For domain owners without shell access, one of the most convenient free tools is ZeroSSL – it walks you through the entire process of verifying your domain ownership and installing the certificate on the website.
The Bottom Line
With the ongoing shift in Google’s attitudes towards non-secured websites, it should be clear that SSL certificates are paramount to safe and future-proof online operations. If you own a website without such protection, it’s in your best interest to get ahead of the curve and get this task done before it starts showing on your search rankings. Your visitors will appreciate the additional trust marks, and search engines will keep considering your pages worthy of being shown in their results.
Having troubles installing an SSL certificate on your website? Got other questions or would like to share your experience with SSL? Let’s discuss in the comments section below: