Wondering what is an SSL certificate and how to get one for your website? If you are planning to build a new website or you have a website right now, you need to know about SSL certificates. In light of the internet’s security issues, Google, as the internet’s premier search engine will be prioritizing secure sites in their search results.
So where does that leave ordinary unsecured websites? Technically out of business unless they choose to upgrade their security by adding an SSL layer to it which Google requires. Google wants to keep the web secure to protect itself, its products, and everyone else. As much as possible, it needs to return safe sites in search results.
It will still have to include insecure sites in the results, but once you click on those links, Google will announce your site as unsafe before taking visitors to it, and that in itself will cause your regular and potential visitors to flee elsewhere. Let’s thank Google for making browsing a more secure but slightly inconvenient experience.
Trust & Security
What happens when the Google search engine or your secure browser tells you that the site you’re visiting is somehow not secure? You do a double-take. You either add it as an exception or you go somewhere else. If you do proceed, at the back of your head, visiting the site carries a certain level of risk. As a website owner, especially of a commercial one, it’s a signal to upgrade at once or risk losing half the customers who trust you and all the potential customers who opted not to proceed. For Google or secure browsers like Firefox to trust your website, you need to fix or upgrade your site to include SSL.
SSL Certificate – A Website Necessity
It’s not just Google, but website owners owe it to their customers or visitors to keep their information safe. Especially in light of all the hacking and privacy issues on the news these days. If you, as a website owner, feel somewhat secure when shopping on eBay or Amazon, shouldn’t you extend that feeling of security to visitors of your website? Moreover, because your competitors are stepping up their game in making their sites secure, you owe it to yourself or your business to do the same.
If you intend to set up an online store yourself or a multi-function site that requires membership, you’ll need to consider security from the get-go. A simple login screen/password system will not cut it, because the modern web now requires a certain level of implicit trust that’s gained by adding an extra layer of security that says a website is trustworthy and that the site is whom it says it is.
Transport Layer Security (TLS)
That layer is called Transport Layer Security (TLS), better known as the Secure Sockets Layer (SSL). TLS is the modern name and version for the Secure Sockets Layer. SSL itself has already been rendered obsolete. The name TLS hasn’t taken off so for discussion; we’ll be referring to TLS as SSL.
Netscape Communications developed SSL during the 90s with the third stable version being released in 1996. However, by 2014, SSL 3.0 was found to be vulnerable with what is known as a POODLE attack necessitating the use of its successor TLS 1.0. The current standard is currently TLS 1.2 developed and promoted by the Internet Engineering Task Force (IETF), an internet standards organization.
In a nutshell, SSL allows the communication between the user’s browser or app and a website to be encrypted and cannot be intercepted by malicious third parties. So if the user were to enter his credit card information to buy something, hackers wouldn’t be able to catch that information and use your credit card and authentication number to commit credit card fraud.
Through SSL, a website becomes secure when it’s issued a valid SSL certificate by a certifying body. A registry or regulator of sites if you will. The certificate is a piece of code which a secure browser or an app looks for. Once verified by the browser or the contacted certificate authority, the SSL-secure website then sends the user’s browser a session-specific key that lets it unscramble the website’s contents. This process is called handshake.
The communication between the website and browser is encrypted, which prevents any eavesdropping or tampering during a session. If there’s going to be any security holes, it will happen at either end of the transmission, not between. Also, SSL isn’t just for securing browsing sessions. It can be used to secure instant messaging, transfer, and receiving email and other means of communication online.
Knowing your Session is Secure
When you visit an unsecured site, your browser may or may not alert you whether you’re secure or not. After all, web browsers are not limited to Chrome, Firefox, Safari, Edge, and Internet Explorer. Even these browsers only do so occasionally. It’s annoying for sure when you’re alerted, but it’s much safer mainly if you use your computer to shop, send sensitive information or even delve in subversive political commentaries in forums or social media.
The quickest way to know if a website is secure is by looking at the link or URL in the browser’s address bar. A website or page is secure if you see the prefix ‘https’ instead of the usual ‘http.’ HTTP stands for Hypertext Transfer Protocol while HTTPS may stand for the following:
Secure Hypertext Transfer Protocol
HTTP over TLS
HTTP over SSL, but all are the same thing.
The link may not be apparent in some browsers like Safari in the iPhone or iPad. Instead, you’ll see a padlock icon before the link or the website name. In older browsers (which you should stop using immediately), the padlock icon used to show in the status bar — clicking on the padlock results in a popup message saying that the website has a secure connection and the Certificate Authority that issued the website its SSL Certificate.
At the beginning of this discussion, insecure websites are in danger of suffering disgrace at the hands of Google and modern browsers. Call it security-shaming, but it’s a necessity to call them out if those websites want to sell something and ask for personal info. Google announced in 2015 that pages that begin with https would be given priority in search results and even flag those websites that aren’t secure. But not all sites that start with https are secure.
Their SSL certificates may be outdated, or there might be something else wrong with those certificates. Google or your secure browser will flag them as well, beginning with a crossed-out padlock icon or a page that says that the site has a problem. Moreover, when that happens, it’s time for the site’s administrators to spring into action and coordinate with their certificate authority. In the case of unsecured websites, it’s time to look for one.
If you’re out to sell stuff and your site begins with http, you’ll be relegated several pages further than you need to be so the chances of potential buyers finding you will be slim. Not only that, when they do get to you and find that your site is unsecured, you’re out of luck.
Types of SSL and Where to Get Them
By now you’d be convinced on the importance of security, not only for your business but for your site’s visitors. The concept of having an SSL can be a bit technical and can go from free to costly, depending on the level of security you need for your website. There are many types of SSL Certificates available. The following are the most common:
A kind of certificate that’s free of charge and independent of any Certificate authority. This is appealing to most websites as it gives them at least some additional security without the extra investment. This system also allows for encrypted communication between client and server; it’s not as secure as one issued by a CA. That disturbing browser alert that says ‘there is a problem with a site’s security certificate’ is usually the result of a site using self-signed certificates. Internal company portals or government agencies typically use this type of system on a budget.
Also an entry-level SSL Certificate, this validates whether the CA applicant owns the website domain. Non-business owners can use this certificate.
Fully Authenticated SSL Certificate
As the name implies, this is a strong type of SSL Certificate usually reserved for larger businesses as they’re tougher to obtain due to a series of checks by certificate authorities.
Subject Alternate Name Certificate
An SSL certificate is usually given to a single domain name, but it is possible to assign a certificate for multiple domains. This type of SSL Certificate applies to a domain or website that has related sites. Like for a significant company and its subsidiaries. Each also domain has to be checked and verified by the certificate authority.
Is similar to a Subject Name Alternate Certificate but this is better suited for companies with similarly named domain names, for example, football.espn.com and basketball.espn.com.
Extended Validation SSL Certificate
Is the highest standard of SSL Certification. Sites with this certificate will have their company name and country displayed on the browser’s address bar beside the green padlock icon.
How Do I Get An SSL Certificate?
To acquire SSL Certificates, also known as digital certificates, companies have to contact a certificate authority or CA. Commercial CAs like Symantec, DigiCert, and GlobalSign charge their clients for digital certificates, but there are also non-profit organizations that issue digital certificates free of charge. Notable non-profit Certificate authorities are Let’s Encrypt and CAcert. Large organizations can also make use of self-signed certificates independent of any CA. Certificate authorities partner with major browser developers to include a repository of issued certificates.
Upgrading your website to make use of SSL entails some cost if you want the best in security as commercial CAs require an annual fee from its clients. The following is a list of major commercial certificate authorities.
Comodo Instant SSL
However, if you run a small business but need to secure your domain, you can contact the following non-profit CAs.
Comodo Free SSL
The free SSL Certificates last only for up to 90 days as opposed to annually coming from commercial CAs. You get what you pay for, of course. It’s then essential for website administrators to keep abreast of their expiry or the site ends up becoming insecure and may require some downtime. Free certificates are also limited, and your website won’t be able to get the green bar with the company name.
Implementing HTTPS or SSL can be a lengthy process as per The Washington Post’s experience., from coordinating with the certificate authority to adapting the website and domain to include the issued certificate. However, you can also acquire SSL signing up with hosting companies that include built-in SSL.
That way, you will only have to perform minimal setup or none at all, and won’t have to coordinate with any CA. Hosting companies that offer free SSL include Siteground, Dreamhost, and Cloudflare. This is also a recommended route if you’re okay with not having your infrastructure.
CloudFlare’s Free SSL & Website Security Tools
Cloudflare’s method involves hosting a cached version of the client’s website. The visitors to your site goes through Cloudflare first utilizing their SSL service. All the website owner needs to do is tweak the site’s DNS to point to Cloudflare. The problem with this approach, though is that there is no SSL connection between Cloudflare itself and the server in which the website is genuinely hosted, so the encryption isn’t exactly full. There’s also the fact that Cloudflare itself became vulnerable to attack in the past.
The same is true with any hosting service that follows their approach rendering all their clients vulnerable to attack. Cloudflare is a prevalent option for those on a budget. Cloudflare’s free SSL has a 90 expiration, but according to Cloudflare, it auto-renews without any interruption. There are gigs on Fiverr who will install a free Cloudflare SSL certificate for about $20. Cloudflare, however, offers a full SSL implementation for a fee.
Time to Upgrade
Gone are the simpler days in the 90s when you can visit any eye-straining website without a care in the world, and your personal information can’t be used against you, except for spam for Viagra. Nowadays, everyone shops and everything is connected. Search engines now make a distinction between secure and unsecured and prioritize security for the greater good. Users and website owners now share the responsibility of keeping private information safe and secure, so website owners need to upgrade their security or integrate it, to begin with. Unsecure websites in danger of being ignored must upgrade to SSL or face extinction. Search engine results shouldn’t be the only driving force to upgrade, but because it’s necessary for the sake of the users and the site itself.
Cost-effectively, there’s always Cloudflare’s built-in SSL, and then there’s the free SSL by Let’s Encrypt. However, for added customization and security, they can always upgrade to commercial when the getting is good.