April 27, 2016
Protecting Your Website Users with an SSL Certificate
You Should Know
- SSL certificates are an important tool for keeping your website (and your users) safe online.
- They’re cheap (often free), easy to setup and there’s really no reason not to have one these days.
If you have ever owned a website or used the internet for online purchases, you might know that some site URL’s begin with “https” instead of “http”, and that they are usually accompanied by a little green lock or shield. This means that the site has an SSL certificate and is therefore trustworthy.
What you may not know is that EVERY site should have SSL.
What does an SSL certificate do?
The short answer is that it certifies that your website is actually the site it claims to be. In other words, because Amazon has an SSL certificate, when you go to https://amazon.com you know that you are actually seeing Amazon’s website. The other great thing SSL certificates do is encrypt any data passing between the client (your browser) and the server (Amazon’s website). Care for a demonstration?
Can you tell me what this text means? Of course not, no one can, it’s encrypted. However, if you were to take that text over to https://encipher.it, you can decrypt it using my super secret password: “visceral”. Pretty neat huh? Makes you feel a bit like James Bond?
What makes SSL so important?
Just like any James Bond movie, the story is not complete without a villain. In our case, the villain is a hacker. Without an SSL certificate, a hacker can use what’s called a man-in-the-middle attack to get between your computer and Amazon’s servers.
From here, they can see or even change any of the data being passed between the user and Amazon including things like credit card information or social security numbers. This is one cause of identity theft. With an SSL certificate, however, everything our James Bond villain sees is encrypted and will look similar to the text above.
Do you really need SSL?
YES! It is a common misconception that SSL certificates are only necessary for eCommerce sites, or sites that take sensitive information. The truth is that if you are accepting ANY data from users, you should have an SSL certificate. They trust you and you owe it to them to treat any information as sensitive and to take the necessary precautions to protect it. Identity theft can happen with much less than social security numbers or credit card numbers.
“Identity theft can happen with much less than social security numbers or credit card numbers.”
Let’s take this a step further. Remember when I said that our man-in-the-middle villain can not only read, but CHANGE the content a user will see? That opens up a lot of scary scenarios:
- They can change your website content to hurt your reputation.
- They could add input fields (like credit card) to a form that wouldn’t normally ask for that information.
- They might link a button to download a virus instead of the intended, harmless PDF.
For those of you who respond better to positive incentives, consider this: The internet is moving towards a future where every site has SSL and huge companies like Google, Facebook, Mozilla, and more are pressing strongly for it. By joining ranks, your website could see these added benefits:
- Better Search Rankings: Google openly claimed that they are going to give an SEO boost to sites rocking HTTPS.
- Possible Speed Boost: There is a new web protocol called HTTP/2. Without getting too technical, it will allow your website to load faster, but in order to implement in major browsers, you need an SSL certificate.
Here’s the good news.
SSL certificates are actually pretty inexpensive and easy to set up. Most hosting companies offer certificates and will do the set up for you. They might cost somewhere between $10 and $100. According to a conversation I had with Zack Tollman, the difference between a $10 certificate and a $100 certificate is just the $90 (as long as they include the same encryption protocols).
Recently a service launched called LetsEncrypt which will allow users to get SSL certificates and install them completely free (although it requires a pretty advanced developer to use). So really, there is no reason to not get started with SSL.
Setting up SSL is great for you and your users, but it is not the only thing you need to do to ensure security. If you would like a better idea, check out our post on securing WordPress like a pro. If you are running a WordPress site and want to set up an SSL certificate, you may hit some snags. Remember to change your site’s setting to reflect the change to https. You will also need to redirect all traffic and serve all resources from the new https URL. These plugins can help with that (note: you do not need all of them installed):
If you already have an SSL certificate, test it with the SSL Labs Test. If it doesn’t score all A’s you have a problem and need to tell your hosting company. If you need assistance setting up your certificate, or choosing the correct one, contact us at Visceral.