SSL: What is it? And do I need it?


HTTPS SSL Security

What is an SSL Certificate?

An SSL certificate establishes a secure connection on your website that is more resistant to hackers. In a nutshell, it is a small computer file that connects an organization’s details to a cryptographic key. When an SSL—secure sockets layer—certificate is installed on a website’s server, it activates the familiar padlock icon and HTTPS (instead of HTTP) protocol in a web browser, which allows a secure connection between a web server and a browser.

SSL - Facebook

This is most commonly seen on websites that involve credit card transactions, file transfers, and social media browsing and logins.

Feeling techy? Get a more in-depth description of SSL from Global Sign or Symantec.

We implemented SSL for the Association of Social Work Boards in 2016 when they started selling digital materials on their site.
We implemented SSL for the Association of Social Work Boards in 2016 when they started selling digital materials on their site.

Why bother with SSL?

Consumer Protection and Trust

According to a GlobalSign study, 84% of website visitors said they would abandon a purchase if they knew the data was being sent over an insecure connection.

Whether users truly understand how SSL works or not, more and more consumers recognize that SSL protects sensitive information being sent over the internet—such as credit card information, usernames, passwords, etc.— from falling into the wrong hands.

That green padlock tells your users that it’s okay to have a high level of trust with the site—and thereby, the organization—and they can feel confident using your site. Trust makes all the difference in the world of online business and showing that your site is safe can go a long way toward improving user relations and conversion rates.

Google is Still King

Also, be aware that Google has called for “HTTPS everywhere” on the internet; they take into account whether sites use secure connections as a factor in their Google Search ranking results. While SSL may not be the largest SEO factor at the moment, it will only continue to grow as Google continues to push for website owners everywhere to secure their sites.

Google’s push is publicly visible as its popular browser Chome* has begun a process that labels all pages without an HTTPS connection that contain sensitive input fields as “Not Secure” in the browser’s address bar. This practice will eventually lead to all plain HTTP pages being labeled as “Not Secure”.

* How popular is Chrome? It has a web browser market share of 58.1% according to w3counter.com. The next most popular browser is Safari, with a share of only 14.9%.

The "Not Secure" warning in Chrome.

Not only that, but Google Chrome and other web browsers have demonstrated the willingness to punish SSL Certificate Authorities for showing an inability to issue trusted certificates via a secure process.

Just a few months ago Google cracked down on Symantec, “In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have allegedly mis-issued more than 30,000 certificates.” (arstechnica.com)

And again, “Mozilla, the world’s second most popular browser, announced an important security decision last week to distrust a range of bad SSL certificates issued by Certificate Authorities (CAs) WoSign and Startcom, citing “technical and management failures” (riskiq.com).

Although these failures fall on the shoulders of the Certificate Authorities who issue the SSL Certificates, it’s important for you as a customer to ensure that you are dealing with a trusted Authority that is respected among the internet security community.

Keeping Up with Best Practices

Based on internet trends, it appears that SSL security will soon become the expected standard for all websites.

The founder of WordPress, Matt Mullenweg, wrote in a blog: “Just as JavaScript is a near necessity for smoother user experiences and more modern PHP versions are critical for performance, SSL just makes sense as the next hurdle our users are going to face… Modern browsers and the incredible success of projects like Let’s Encrypt have made getting a certificate to secure your site fast, free, and something we think every host should support by default, especially in a post-Snowden era.”

Is an SSL certificate right for your website?

You definitely need SSL if…

You sell products and handle customer’s credit card payment information. If you use PayPal or another external payment processing website exclusively to accept payments, you don’t need SSL since customers aren’t paying on your site directly. You do, however, need to ensure that the system you are using is SSL encrypted.

You should definitely consider SSL if…

Your website stores usernames and passwords for some type of membership system or something similar. Your members are trusting you with their email addresses, names, and passwords, which are likely used on other websites as well. You don’t want to allow a breach that results in their information being spread across the internet.

If you don’t have the budget or your site doesn’t handle sensitive data from its users…

If your site is only a blog with a simple contact form or a collection of pages with information and images that don’t actually collect anything from its users you probably don’t need an SSL certificate. However, be aware that major internet players such as Google are showing that they aren’t afraid to “punish” any site in the future that doesn’t use SSL. Your users should always feel safe on your website, so it’s good to think about what other options may be out there.

The City of Charlottesville’s main site doesn’t have SSL, but users can feel confident paying online as the third-party bill paying site is secure.
The City of Charlottesville’s main site doesn’t have SSL, but users can feel confident paying online as the third-party bill paying site is secure.

SSL - Charlottesville.org's third party bill paying site Paybill.com

There are free options that have recently become available such as Let’s Encrypt, a free, automated, and open certificate authority provided by the Internet Security Research Group. It allows you to enable HTTPS (including the green padlock) for your website for free in a user-friendly way. However, there are some downsides to consider.

Another free option is FreeSSL powered by Symantec, a typically reputable SSL provider. FreeSSL is currently free for nonprofits and startups, but you can sign up for their email list to stay updated on their mission to provide free SSL to the public.

How much does an SSL certificate cost?

Free Options

Let’s Encrypt and FreeSSL ~Free

Being free is great and it allows you to enable HTTPS including the padlock icon.

On the downside, the level of encryption is not as high as most paid options, and depending on how you set Let’s Encrypt up, you may have the inconvenience of needing to manually renew your certificate every 90 days. The biggest issue to look out for: because of its increasing popularity, it is becoming more and more of a target for hackers.

Paid Options

Note: The following are the paid SSL Certificates provided by Thawte. Prices for different SSL providers will vary, but this guide will give you an idea of what to expect, as most offer similar SSL plans.

Thawte SSL 123 ~$149/year

Thawte SSL 123 enables HTTPS, gives you the padlock icon, and provides the minimum level of validation in commercially-available SSL. Your domain name is the only information available to assure users.

Blue Ridge Builder’s Supply opted to implement SSL in 2016 to help with page ranking and to protect the login portal to their website’s content management system.
Blue Ridge Builder’s Supply opted to implement SSL in 2016 to help with page ranking and to protect the login portal to their website’s content management system.

Thawte SSL Web Server ~$199/year

Thawte SSL Web Server enables HTTPS, gives you the padlock icon, and provides more assurance for users as it provides full organization validation including your domain name and validated organization name in certificate details and verification pages.

Thawte SSL Web Server with EV (Extended Validation) ~$299/year

Thawte SSL Web Server with EV enables HTTPS and gives you a green padlock icon in all browsers along with your organization’s name in green next to it to provide an even higher level of credibility.

This certificate shows that your organization has met the industry’s highest standard of authentication. It is best for credit card transacting websites, banks, and financial institutions.

SSL - Rackspace

SSL - The Ivy Group, Ltd.

If your website could use a security or accessibility update—or even a complete overhaul—you know where to find us.


Category: Web & Technology
Tags: SSL