What is an SSL Certificate?
An SSL certificate establishes a secure connection on your website that is more resistant to hackers. In a nutshell, it is a small computer file that connects an organization's details to a cryptographic key. When an SSL--secure sockets layer--certificate is installed on a website's server, it activates the familiar padlock icon and HTTPS (instead of HTTP) protocol in a web browser, which allows a secure connection between a web server and a browser.
This is most commonly seen on websites that involve credit card transactions, file transfers, and social media browsing and logins.
Why bother with an SSL Certificate?
Consumer Protection and Trust
According to a GlobalSign study, 84% of website visitors said they would abandon a purchase if they knew the data was being sent over an insecure connection.
Whether users truly understand how SSL works or not, more and more consumers recognize that SSL protects sensitive information being sent over the internet--such as credit card information, usernames, passwords, etc.-- from falling into the wrong hands.
That green padlock tells your users that it's okay to have a high level of trust with the site--and thereby, the organization--and they can feel confident using your site. Trust makes all the difference in the world of online business and showing that your site is safe can go a long way toward improving user relations and conversion rates.
Google is Still King
Also, be aware that Google has called for "HTTPS everywhere" on the internet; they take into account whether sites use secure connections as a factor in their Google Search ranking results. While SSL may not be the largest SEO factor at the moment, it will only continue to grow as Google continues to push for website owners everywhere to secure their sites.
Google's push is publicly visible as its popular browser Chome* has begun a process that labels all pages without an HTTPS connection that contain sensitive input fields as "Not Secure" in the browser's address bar. This practice will eventually lead to all plain HTTP pages being labeled as "Not Secure".
* How popular is Chrome? It has a web browser market share of 58.1% according to w3counter.com. The next most popular browser is Safari, with a share of only 14.9%.
Not only that, but Google Chrome and other web browsers have demonstrated the willingness to punish SSL Certificate Authorities for showing an inability to issue trusted certificates via a secure process.
Just a few months ago Google cracked down on Symantec, “In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have allegedly mis-issued more than 30,000 certificates.” (arstechnica.com)
And again, “Mozilla, the world's second most popular browser, announced an important security decision last week to distrust a range of bad SSL certificates issued by Certificate Authorities (CAs) WoSign and Startcom, citing "technical and management failures" (riskiq.com).
Although these failures fall on the shoulders of the Certificate Authorities who issue the SSL Certificates, it’s important for you as a customer to ensure that you are dealing with a trusted Authority that is respected among the internet security community.
Keeping Up with Best Practices
Based on internet trends, it appears that SSL security will soon become the expected standard for all websites.
Is an SSL certificate right for your website?
You definitely need SSL if...
You sell products and handle customer's credit card payment information. If you use PayPal or another external payment processing website exclusively to accept payments, you don't need SSL since customers aren't paying on your site directly. You do, however, need to ensure that the system you are using is SSL encrypted.
You should definitely consider SSL if...
Your website stores usernames and passwords for some type of membership system or something similar. Your members are trusting you with their email addresses, names, and passwords, which are likely used on other websites as well. You don't want to allow a breach that results in their information being spread across the internet.
If you don't have the budget or your site doesn't handle sensitive data from its users...
If your site is only a blog with a simple contact form or a collection of pages with information and images that don't actually collect anything from its users you probably don't need an SSL certificate. However, be aware that major internet players such as Google are showing that they aren't afraid to "punish" any site in the future that doesn't use SSL. Your users should always feel safe on your website, so it's good to think about what other options may be out there.
There are free options that have recently become available such as Let's Encrypt, a free, automated, and open certificate authority provided by the Internet Security Research Group. It allows you to enable HTTPS (including the green padlock) for your website for free in a user-friendly way. However, there are some downsides to consider.
Another free option is FreeSSL powered by Symantec, a typically reputable SSL provider. FreeSSL is currently free for nonprofits and startups, but you can sign up for their email list to stay updated on their mission to provide free SSL to the public.
How much does an SSL certificate cost?
Let's Encrypt and FreeSSL ~Free
Being free is great and it allows you to enable HTTPS including the padlock icon.
On the downside, the level of encryption is not as high as most paid options, and depending on how you set Let's Encrypt up, you may have the inconvenience of needing to manually renew your certificate every 90 days. The biggest issue to look out for: because of its increasing popularity, it is becoming more and more of a target for hackers.
Note: The following are the paid SSL Certificates provided by Thawte. Prices for different SSL providers will vary, but this guide will give you an idea of what to expect, as most offer similar SSL plans.
Thawte SSL 123 ~$149/year
Thawte SSL 123 enables HTTPS, gives you the padlock icon, and provides the minimum level of validation in commercially-available SSL. Your domain name is the only information available to assure users.
Thawte SSL Web Server ~$199/year
Thawte SSL Web Server enables HTTPS, gives you the padlock icon, and provides more assurance for users as it provides full organization validation including your domain name and validated organization name in certificate details and verification pages.
Thawte SSL Web Server with EV (Extended Validation) ~$299/year
Thawte SSL Web Server with EV enables HTTPS and gives you a green padlock icon in all browsers along with your organization's name in green next to it to provide an even higher level of credibility.
This certificate shows that your organization has met the industry's highest standard of authentication. It is best for credit card transacting websites, banks, and financial institutions.
If your website could use a security or accessibility update--or even a complete overhaul--you know where to find us.