Secure Sockets Layer (SSL) is a cryptographic protocol that allows information being sent safely between visitor’s browser and a website. The data is sent encrypted and cannot be read by third parties as it travels across the internet. In addition to encrypting, an SSL certificate also verifies that you’re dealing directly with the correct server and that no other computer will be involved in the middle. An SSL certificate is issued by a trusted authority and identifies your site or business. You can install this certificate onto your domain name in order to encrypt pages on your website. The URL address of a page viewed over SSL also normally starts with HTTPS instead of HTTP. Most web browsers also display a padlock when a site is viewed over SSL.
How Does an SSL Certificate Work?
SSL certificates use public key cryptography in order to enable encryption and to verify the site owner’s identity. The cryptography harnesses the power of two keys which are long randomly generated strings consisting of letters, numerals, and special characters. The sending party uses recipient’s public key to encrypt data before it is sent. The recipient uses its own private key to decrypt received messages. In practice, SSL operates between a visitor’s browser and site’s server making it very difficult for any third parties to intercept the data before it has been unlocked. SSL also prevents cyber criminals from diverting visitors to their own sites and gaining access to any sensitive data that way. With an SSL certificate all the data will remain encrypted and secure, thus providing site visitors with a sense of trust.
What Kind of Information Should be Protected?
Without an encrypted connection between the site visitor and the server any computer in the middle can see all the information being sent. Thus if your website requires the exchange of any personal information, then you might want to consider getting an SSL certificate. Many popular database-driven content management systems, such as WordPress, Joomla, Drupal, etc, have separate password protected areas for the site administrators, and you do not want to log in only to find out your pages have been deleted. As a rule of thumb, you should always protect any data which, if leaked or lost, could lead to monetary losses or legal consequences. It is advisable to always obtain an SSL certificate if your website or app collects or processes:
• Usernames and Passwords
• Credit Card and Bank Account details
• Social Security Numbers, IDs, Licenses, Medical records, etc.
• Confidential Information, Legal Documents, Contracts, Client Lists, etc.
• Names, Addresses, Phone Numbers and Email Addresses from forms
Does The New EU GDPR Privacy Law Require An SSL?
The General Data Protection Regulation (GDPR) will apply to all organisations that collect personal data of EU citizens, regardless of the organisation’s location. This will make businesses more accountable for data privacy compliance and gives consumers more control over their personal data. Also, the penalties for non-compliance can be harsh. Organizations violating GDPR can expect fines between 2% to 4% of their annual global revenue or €20 Million whichever is greater. “Encryption may not be required by law in some cases, but in the context of a data breach anything else will be deemed inadequate, and subject the organization to fines.”If you collect or process any form of personal information it is safest to use suitable encryption solutions such as SSL for all personal data in transit. If you are collecting credit card details directly on your website, you definitely need SSL to encrypt all your customers’ credit card information. If you use PayPal or similar third party payment systems exclusively to accept payments, you may not need SSL since customers aren’t paying you directly. However, if your visitors submit sensitive information, documents, photos, etc. via forms on the site, you might consider SSL to keep that information safe. It is possible that encryption is not specifically required by law in some cases, but in the context of a data breach anything else will be deemed inadequate, and subject the organization to fines. And you do not want that to happen to you. Thus it is very likely that in almost all cases the only appropriate technical measure to ensure appropriate anonymity and security is encryption with appropriate key management controls. If you have a simple blog and you do not ask for personal or confidential information from visitors, you are most likely safe without an SSL certificate. In case of a simple blog with no products, no memberships, no web forms, no nothing except blog posts and maybe your contact details, SSL would be a waste of time, effort, and money. Any possible benefits would be too small to count.
The Different Types of SSL Certificates
SSL Certificates may sound pretty simple, but there is one more thing to consider when choosing one. There are three main types of certificates with different levels of user trust, and that is why you will find such a variety of price ranges.
Domain Validated SSL Certificates
Domain Validated certificates are certificates that are only checked against domain registry letting visitors know they are on the correct website. These are the cheapest type of certificates to get as no company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. The great thing about domain SSL validated certificates is that you can activate the secure “padlock” in minutes and start securing web account logins, network traffic and online services. This may be sufficient for informational websites and internal systems but it may not be the best option for ecommerce purposes.
Organization Validated SSL Certificates
This SSL certificate includes a strict authentication process in which companies are vetted by real agents against business registry databases hosted by governments. This additional information is displayed to customers when clicking on the Secure Site Seal, giving enhanced visibility in who is behind the site enhancing trust with your customers. This is the standard type of certificate required on a commercial or public facing website. Some documents may be required during the authentication process and personnel may be contacted to prove the right of use.
Extended Validated SSL Certificates
These certificates provide secure encrypted connections, verified business identities, and help to prevent fraud through a strict vetting process. The certificate authority also checks the right of the applicant to use a specific domain name. Apart from improving trust via the strict authentication process, these certificates trigger a visible Green Bar on modern browsers. It is extremely difficult to impersonate or phish a site using Extended Validated SSL Certificate as even if web content can be duplicated, the Green Bar cannot be triggered without the certificate. Extended Validated SSL is ideal for well-established organizations requiring high-level of trust such as well-established ecommerce sites, government bodies, banks and other financial institutions.
Benefits of Using HTTPS Over HTTP
Companies need to ensure maximum security for their users as online security becomes a more and more important issue. Having an SSL certificate installed can largely shape the way consumers perceive your wbsite and business. SSL Certificates protect your sensitive information by keeping data secure between servers and browsers. If the site is not protected with SSL certificate and in case you or your customers access the private pages from a public domain (Airport, Mall, Food Court, etc….), cyber criminals can crack the cookie information using many tools to get the access of the user accounts without using any password. HTTPS is also a ranking signal in Google search engine and SSL pages get a ranking boost in the search index. SSL will provide strong protection as well authentication that users will trust on your site which will help to improve conversion rates too. The encrypted website data help you to avoid eavesdropping, man-in-middle-attack, sniffing attacks and forging the contents of the communication. This will help to keep your website free from ad injections, exploits, unwanted widgets, and file replacement which reduce browser warning and alerts.
How To Choose an SSL Provider?
If you think that SSL may be needed on your website, how do you know what type of certificate to purchase? Typically, there is an annual fee to obtain a certificate from a trusted vendor who may have to verify your identity before issuing the certificate. Once issued, the certificate will need to be installed on your server in order for the HTTPS connection to work. This is handled by your hosting company if you get the SSL as an add-on to your hosting plan. You can also obtain an SSL certificate from any third-party certificate authority and then install the SSL Certificate to your hosting account. Browser’s, operating systems, and mobile devices maintain lists of trusted certificate authority root certificates. The root certificate must be present on the end user’s device in order for the certificate to be trusted. Companies could risk losing sales and business if the SSL certificate is not trusted as the browser displays error messages. For any professional sites and for all ecommerce sites we recommend Domain Validated SSL Certificates from legitimate and reputable Certificate vendors, e.g. Comodo, GeoTrust, Thawte, GlobalSign, RapidSSL, Godaddy, Symantec, and Verisign. There are also some free certificates, for example, from Let’s Encrypt and Cloudflare but these are best suited for simple blog sites running with a minimal budget.