Everyone on the World Wide Web is talking about SSL certificates. And has been doing it increasingly for the past months, at least. The reason? Google and its ever-changing algorithms. Specifically, one of the latest actions Google had taken to fight fraudulent, insecure websites and pages is to label non-HTTPS pages as "not secure":
There's a high chance you might have met with one of this alert messages already. Or, even worse, users reached out to you saying your website or eCommerce store isn't secure according to Google. And, correct me if I'm wrong, you were caught on short, someone might even have panicked at that time. And if you're still trying to understand what this fuss is all about, this guide is for you.
In this guide, I'll go through all the main elements pertaining to SSL certificates to provide you with a clear picture of what they are and how they work, but above that, whether you as a website/eCommerce store manager will need to have them in place.
Ready to start? Let's dive in!
A little history of the SSL certificate
They say "to know your future you must know your past", right? Put into a closer, business perspective, I'd rephrase that with "to better assess whether you'll need an SSL certificate, get to know why they've been created". So before getting our hand dirty with actual tips and suggestions here's some information to SSL certificates from their early days.
It was March 1995 when Netscape, the most adopted web browser in the '90s (before Internet Explorer gained its market share), decided to actually do something to increase the security between a client and a server communicating. To an extent: they wanted to make the Internet safer. That's why early in that year, they deployed Netscape Navigator 1.1 giving birth to the Secure Sockets Layer Protocol (SSL in short). As we now know:
Netscape's goal was to create an encrypted data path between a client and a server that was platform or OS agnostic. Netscape also embraced SSL to take advantage of new encryption schemes such as the recent adoption of the Advanced Encryption Standard (AES) considered more secure than Data Encryption Standard (DES).
But it was after 2003 that SSL certificates started to be taken more seriously, as the US Government deemed AES secure enough to be used for classified information. And from those early days, through different iterations and versions, SSL certificates are nowaday trusted and implemented by many websites.
For those who want to know more about the history of SSL/TSL with lots of details, this timeline from Ivan Ristić shows it perfectly.
What does an SSL certificate do? What are its main benefits to a website?
Enough with history! Now it's time to better understand how an SSL certificate works and how, when implemented, could benefit a website or eCommerce store.
On a business perspective, there's no need to go into many tech details yet you'd need to know how an SSL certificate affects your website. Here's a great tutorial to start with:
As you could now imagine, an SSL certificate it's your way - as website/eCommerce store owner - to show your users security is in place and the communication of data is encrypted. Your users will also notice a different visual sign of a valid SSL certificate in their browser, like a lock icon, a green bar, etc., depending on the certificate you're using (more on different types of certificates later on).
So, what are the main benefits of implementing an SSL certificate into your website?
Now that you have an idea on how SSL certificates work, it's time to see how they could benefit your website and eCommerce store.
Encrypted communications and data
Do your users have to log-in to access pages on your website? Does your website have to handle sensitive information, such as credit cards, security numbers, etc? Well, without an SSL certificate, which encrypts all communications back and forth, these types of data could be "intercepted" by a hacker pretty easily as they'd be plain text.
Performance and HTTP/2
The world is moving to the newer version of the HTTP protocol called HTTP/2 because, on top of several improvements, it features higher performances(we're talking performances of 50-70% percent better than sites over HTTP/1.1). How come this has to do with SSL certificates? Well, if you'd like to take advantage of HTTP/2 you'd be required to run your website or eCommerce store on HTTPS.
SEO and rankings
In 2014, Google said that HTTPS is now a ranking factor. Therefore a lot of website owners started to switch from HTTP towards HTTPS because they didn't want to be penalized by the almighty search engine. By analyzing 1 million search results, Brian Dean found out that HTTPS, in fact, correlates with higher rankings on Google’s first page:
Along with the other benefits here above, an SSL certificate assists you in a key aspect: it builds trust among your users. It shows them they're engaging with a secure website, one where their credit card information are taken care of in a secure and encrypted way for example. You don't need me to tell you how trust in business is important.
Do I need an SSL certificate?
In this journey within the SSL certificates world, after seeing the benefits, we finally have come to a turning point.
Will you need an SSL certificate at the end of the day? Is your website or eCommerce store the perfect candidate for it?
Don't take these questions as technical ones. Asking whether or not to use a tool to build trust in your customer is a business question. Asking yourself how to improve the security of sensitive data is also a business question.
And to help you out find your answer, I've created this list for you.
You'd need to have an SSL certificate, if...
- you run an eCommerce store
- you run a paid membership website
- you run any types of transactional website (online banking, financial account management, wire transfers, and the like)
- your website requires users to log-in
- your website has forms that handle personal data, credit card information or any other sensitive data from your users
- your website allows users to chat on the website
Because of the benefits highlighted above, if you're managing a website or eCommerce store that falls under one of these descriptions, you'll need to have an SSL certificate implemented.
Here I'm not talking about a nice-to-have technicality that would improve some non-critical aspect of your website. Here it's a matter for your business to take advantage of the current state of things in the "Online World" while keeping it all secure for your users.
But what if you have a "standard" website, like a personal website with a portfolio showing off your work, for example? What about an informational website where users come to read and be informed about a topic? Well, if that's your case you're not urged, as other website owners, to act now and get you an SSL certificate, hence move to HTTPS. Still moving to HTTPS has plenty of advantages and, even if today is not critical to your website, tomorrow it'll be the standard.
Better be prepared soon, right?
To give you some perspective, here's some data from the HTTP Archive showing the percentage of websites that redirect to HTTPS amongst the top 500K sites:
Growing from 5.5% in mid-2015 to 12.4% in mid-2016, the number of HTTPS websites has more than doubled in a year!
What will you need to install an SSL certificate?
As this guide isn't meant to show how to technically implement an SSL certificate (that could be the topic for a whole new blog post), nonetheless I outlined the main steps and actions you'll need to take and removed all the technicalities.
Here following you'll find the bare bones to transitioning from a non-secure, certificate-less, HTTP life to a more secure, SSL-empowered, HTTPS future. This is what you'd need to do:
- You need to understand what type of SSL certificate it's a good fit for your website and purchase it (more info below, keep reading)
- You need to install your SSL certificate on your website
- You need to set up 301 redirects from HTTP to HTTPS
- You need to thoroughly test your website for broken links and mixed content issues
Now let's see each item on the list with more details...
1. SSL certificates: where to buy one
You can find SSL certificates from SSL certificate vendors or, in many cases, directly by asking your hosting provider about them. There are literally hundreds of website through which you could buy your own certificate like some of the most trusted such as Comodo, Symantec, GeoTrust, or Thawte.
What types of SSL certificates are there?
Before buying, it's better to understand what types of SSL certificates are available and what they do.
So, let me help you with that. SSL certificates divide into four different types:
Domain Validation Certificates, primarily used to verify a domain ownership. You could recognize them by seeing this on your browser:
Organization Validation Certificates, primarily used to prove that a company is a registered along with a domain validation. The business name is shown on certificate details. You could recognize them by seeing this logo somewhere on their page:
Extended Validation Certificates, to be eligible for this certificate a business owner has to submit necessary business documents to prove their business existence. Usually, it's big companies who use this type of certificates such as banks. You could recognize them by seeing this on your browser:
Wildcard SSL certificate, this type of certificate allows you to secure your domain and all sub-domains with a single certificate:
My personal suggestion is to buy your SSL certificate through your own hosting provider and ask them what type of certificates might be a good fit for your website or eCommerce store.
Back to the main list, now...
2. How to add an SSL certificate to your website
There are three ways you could accomplish this task, specifically:
a) You could ask your hosting provider if they do provide this kind of service and if they do, you're in great luck! Note: not all hosting providers offer such service, so don't get mad if your hosting doesn't provide that to you. Maybe start to think about changing your hosting provider to a more professional one.
b) You could learn and do it yourself but, please, be cautious because you could "break your website" really bad if things aren't deployed correctly.
c) You could hire a somebody on Codeable to properly implement your desired SSL certificate, move your website or eCommerce store to HTTPS and leave you with a peace of mind. Quick and easy.
3. Implement 301 redirects, re-add your website to Google Search Console and updated Google Analytic
When moving your website to HTTPS you should also take care to notify Google of this transition. How do you do that? Yes, with 301 permanent redirects.
But there's one thing many forget when switching to an HTTPS domain, and that is adding - again - your website to Google Search Console (formerly "Google Webmaster Tools"). Even if it's still your exact same website, after switching to HTTPS, Google treats it as a new domain.
Same story goes for Google Analytics. So fire up GA, navigate to Administration › Property Settings and pick HTTPS as your default domain:
After you flip from HTTP to HTTPS, thanks to your new SSL certificate, it's time to check everything and test extensively all your links to see if any resulted broken during the transition. Along with these tests, you should also check that now all your website and eCommerce store assets are served through HTTPS to prevent mixed content issues from happening.
To collect data quickly about your website and see if anything went through correctly, you could start with a tool such as Qualys Lab, which will scan your website to check if your SSL certificate is installed properly.
Right now, there's still one topic left uncovered, something you've been dying to ask right from the beginning, i.e. "How much is going to cost me an SSL certificate?"
How much does an SSL certificate will cost you?
The price for an SSL certificate can fluctuate quite a bit, depending on several factors, so take these numbers with a grain of salt and use them as a guideline.
SSL certificate prices can range from $8/year up to even $5k+/year for some Wildcard SSL certificates. Discounted prices might occur if you buy certificates for more than 1 year (not all vendors provide them).
For those on a budget, there are also free SSL certificates to check out such as Let's Encrypt, a service provided by Internet Security Research Group (ISRG).
Top 5 things you should take into account (and never forget) when moving to HTTPS
Here's a list you'd want to keep handy, right before moving your website to HTTPS because it outlines things you can easily forget about or just don't know they might happen to you:
- Traffic drops for a while, even significantly, but that's just temporary.
- Don't forget about your CDN: if you use a CDN, you need to make sure that your CDN supports HTTPS.
- You'll experience some broken links: the more links your website or eCommerce store features, the higher the chance some of them might be broken after your switch to HTTPS. Fix that by leveraging 301 redirects. The same could happen to links to your images, so be on the lookout for that to happen and be prepared in advance.
- Don't forget to tweak Google Analytics to correctly gather data on your website again (switch to HTTPS as default domain).
- Add your HTTPS website to Google Console again and re-submit a new sitemap.
Wrapping things up
As you could see, there's a lot of things involved when people talk about SSL and HTTPS. The goal of this guide is to provide you with tools and information to understand the importance of moving your website or eCommerce store towards a more secure future. It's never been the case to leave users data unprotected and, definitely, it's not today, with such an abundant list of options you can choose from.Encrypted data, secure communications, trust. These are non-debatable pillars you should thrive on! Click To Tweet
Encrypted data, secure communications, and trust. These are non-debatable pillars any great online business should thrive on and, thanks to SSL and HTTPS, you'll be running one of those great businesses.