Padlocked gate

What is an SSL certificate, and why do I need one?

First some basics:

When you visit a web page your browser will make requests for files/content from a server (for the purposes of this article, you can think of the web server as another computer somewhere in the world connected to the internet), the server will do it’s best to fulfil those requests, normally sending back the page, image or file that has been requested. These requests and responses are sent over the internet using a protocol called HTTP, which stands for Hypertext Transfer Protocol.

Imagine I’m sat at my desk and I need a file from the cabinet on the other side of the office, so I call out to a bob who is sat nearer than me to grab the file and pass it over to me, Bob does so, passing it to lisa who is sat between us who passes it to me. I now have what I need, but in the process of doing so, Lisa could have read the file and know what was in it. This isn’t a problem if the file only contains information that isn’t sensitive, but it could have contained something more important.

The requests and responses of requesting a webpage, in a similar manner, are passed back and forth across the internet through various routing points, these requests and response could technically be read by systems or people in these locations.

There is a solution to this, and it is called HTTPS (Hyper Text Transfer Protocol Secure), this is an encrypted version of the communication between the browser and server, You may have noticed many sites already using this, especially on shopping sites with the browser displaying a padlock next to the browser bar to indicate secure communication.

Anyone between the browser and the server could still technically see the communication, but wouldn’t understand it without knowing how to decrypt it.

What is an SSL certificate?

An SSL certificate is the means of encrypting the communication in such a way that the browser and server can understand the communication but not anything else in between, SSL certificates can technically be generated by anyone, but in order to work and function correctly, they need to be issued by a trusted Certificate Authority, Standard modern browser are able to verify the validity of the certificate and protect against invalid certificates.

Why do I need an SSL certificate?

  • To protect communication between servers and browsers, this is important all the time, but especially important with sensitive data, such as shopping, personal information, account logins etc.
  • Google recognises the importance of proper security, and uses the the presence of HTTPS as part of its decision making process on which sites to list on it’s search results. In short, HTTPS helps your google ranking.
  • It builds trust between you as a business and you clients and serves to reassure them.
  • Correctly secured sites, will have better conversion rates than sites that don’t.

Your website is part of your business and taking the correct steps to protect your website should be as important as remembering to lock the door on your way out.

Where do I start?

To secure your site on HTTPS you can obtain a SSL certificate directly from a Certificate Authority (CA) and ask your hosting provider to install it. Or alternatively contact your hosting provider who will likely offer installation and management of SSL certificates as a package. Prices can range from £50 to £250 depending on your requirements.

Trusted Certificate Authorities

Comodo
Symantec
GoDaddy
GlobalSign

Free SSL with Let’s Encrypt

If you’re on a budget and don’t want to pay the annual fee of a SSL certificate, you can use a free service and obtain a basic SSL certificate.

Let’s Encrypt is a certificate authority run by the Internet Security Research Group (ISRG), who provide free Domain Validated (DV) SSL certificates. A DV SSL only confirms ownership of a domain but does offer a simple no frills encryption to secure your site on HTTPS.

The project’s aim is to encourage all connections to the World Wide Web to be encrypted as a standard by simplifying the setup & maintenance process. Their service is an automated & payment free solution and one that many hosting providers have already begun to implement as a ‘one click’ install.

Major sponsors of the project include the Electronic Frontier Foundation (EFF), the Mozilla Foundation and Cisco Systems.