A comprehensive (yet interesting) guide to SSL certificates
There are a lot of people out there who are unfamiliar with SSL certificates. This can cause major problems for their internet privacy, the privacy of their website users and the potential success of their business.
However, these problems seem almost trivial when you realise you can get an SSL completely free thanks to Let’s Encrypt. Not only can you get an SSL for free, they are very easy to install, with most reputable WordPress hosts offering installation in a couple of clicks.
This guide covers all you need to know about SSL certificates – the risks, the rewards, the different types and most importantly, what they are. In fact, that’s probably the best place to start.
What is an SSL certificate?
SSL (Secure Sockets Layer) certificates secure the communication between your browser and any web server.
When you successfully install one of these certificates on your server its application protocol (also known as HTTP) will change to HTTPS – the ‘S’ stands for secure.
Without that precious ‘S’, anyone can see the data that users send to your site, providing they know how to find it.
HTTPS encrypts the communication from both ends so only the user’s specific computer and the server it’s sent to will be able to see what was transmitted.
For example if you Google search “where is the nearest florist in Manchester” on Mother’s Day, only you and Google will be in on the secret. Your mum won’t be able to steal that data to find out what you’re buying her. Not that she would, but she could if Google didn’t use an SSL certificate.
How can I tell if a website is using an SSL?
Different browsers display SSLs differently. Take, for example, if you go to a website using the most popular browser, Google Chrome. If the site has an SSL the address bar will have a green padlock icon with the word ‘Secure’ next to it. Also the URL will start with https:// as opposed to http://
On Safari, the presence of an SSL is a little more subtle:
If you’re interested, you can check out the specific SSL of a website by heading to Qualys’ SSL Server Test and typing in the intended web address.
I often enjoy checking how different companies’ SSLs stack up against each other. For example Google has an A grade SSL whereas Facebook has a B grade SSL. Fun right?
Why should I have an SSL?
An SSL does three things for your business:
- Secures payments on your site
- Makes sure customers aren’t scared to share data with your site
- Protects you from potential Man-in-the-Middle cyber attacks
Let’s look at these in more detail:
1. Secure payments
If you run an eCommerce store, you’ll have to take payments via your WordPress website. If you’re taking credit or debit card payments on this page you have to make sure you have an SSL encrypted payment page otherwise your customers’ card information will be at risk.
The best way to do this on WordPress is to install WooCommerce. WooCommerce is a free eCommerce plugin that allows you to sell anything and protects your data for you too.
The plugin is regularly audited by Sucuri, an industry leader in the field, so you won’t have to worry about your customers’ data being hacked.
But SSLs aren’t only for stores taking online payments…
2. Scaring away potential customers
As I mentioned, Google Chrome is currently the most popular web browser with a massive 60% desktop and mobile browser share. While Chrome makes it very clear if your website does have an SSL, it’s actually quite subtle when your website doesn’t have one:
As you can see, there’s just a little ‘i’ information button you can click. It’s only when users click this that they’ll get a warning about a site not having an SSL:
Start filling out a form on an HTTP site though, and this warning becomes a bit more obvious:
Google has announced that come July 2018, this warning will be on every HTTP site, whether or not a user is filling out a form. So it will be a lot more direct and a lot scarier for potential customers:
Google’s aim is to make it clear to users when a website doesn’t have an SSL and make it clear their data is at risk.
People are getting far savvier about how their data is treated online. In a 2017 poll by YouGov 66% of people said they feared having their money or personal information stolen online.
If anyone sees Chrome’s improved SSL warning on your website, it will reinforce these fears. It doesn’t matter what type of website you have, how great it looks or how well you run it, if it doesn’t have an SSL, a large number of potential customers will be scared away from your site and away from your business.
3. Cyber attacks
An SSL not only protects the customer, it protects the business too.
Man-in-the-Middle attacks occur when an attacker places themself between the web server and the client’s browser. When you have an SSL encrypting the data between the two sides, a hacker can’t decrypt the data because they don’t have the right key, only the server and the client do.
So if you install an SSL you’re more likely to evade any Man-in-the-Middle cyberattacks and your confidential business information will remain secure.
Uh oh! So I really need an SSL then?!
Yep. Luckily, Let’s Encrypt has made sure every website can get an SSL for free so there’s no need to get caught out.
This certificate authority exists on the sole basis that every website deserves to have an SSL – both to protect the customer and the business itself.
By installing a free SSL from Let’s Encrypt you won’t be short of company:
- 68% of Chrome traffic on both Android and Windows use HTTPS
- 78% of Chrome traffic on both Chrome OS and Mac also use HTTPS
- 81 of the top 100 sites on the web use HTTPS.
You can also buy an SSL (more about that below) – if you do, some companies even give you a site seal to display on your page so that people know they can trust you.
Do SSL certificates affect SEO?
SSLs are generally good for your SEO – or at least better than not having one. If you do SEO well, an SSL can increase traffic to your site. But why is that?
Back in 2014 Google updated their algorithm to favour HTTPS sites over HTTP. If two search results are equal in everything except for HTTPS then it’s the deciding factor in which is ranked higher in search. This means your competitors have a potential edge over you in search if you don’t have an SSL.
The other benefit of an SSL is that your Google Analytics referral data becomes more in-depth. If your website runs on HTTP, Google Analytics will only show referral sources as “direct traffic.” However, with HTTPS they tell you the exact website that has referred to you.
This gives you a clearer picture of where you do and don’t get traffic from – info you can use to make informed decisions that further boost your SEO.
What are the different types of SSL?
There are three different types of SSLs but only two of them are worth worrying about. You’ll understand why once you read through them:
1. Domain Validation (DV) SSL
These are low-cost or free certificates which only require domain validation from the Certificate Authority (CA).
With DV you’ll get that basic green padlock with ‘Secure’ next to it I mentioned earlier.
DV is the cheapest SSL but its minimal authentication can have its problems – as they’re so freely available, phishing sites have been known to use them to trick people into thinking they are legit.
An example of this would be someone setting up a domain as paypa1.com so it looks like the legitimate PayPal website, sending an email to people telling them they need to log into their account and then when they click the link the phishers gain access.
These issues with DV are the reason packages requiring further validation are available. For large and enterprise scale companies, levelling up an SSL certificate is particularly worthwhile.
2. Organisation Validation (OV) SSL
These types of SSLs require you to pay. You won’t find any free OV certificates so if you’re not looking to part with any money you should swerve this option. They can cost anything from £50 to £500 a year.
For this type of SSL the CA will verify the actual business that is attempting to get the certificate. They require your identity and physical (not web) address which can be done by providing valid verification documentation.
They show the same level of validation in the address bar as DV except when a user clicks on it they can see the company’s name on the certificate.
This should technically let customers know that they are on a legitimate website, however, not many customers will be aware of the difference between an OV SSL and DV SSL and won’t bother to check. For this reason people often refer to OV SSLs as a waste of money.
3. Extended Validation (EV) SSL
An EV SSL requires, you guessed it, even more validation than an OV. The CA still checks your domain ownership except they ask for your business’ registration and address, your phone number, and other pertinent information. EV SSLs can cost as little as £70 or as much as £800 depending on where you buy it from.
With this type of SSL your company name will be next to the green padlock in place of the word ‘Secure’ so customers will know they’re definitely on a legitimate website. The added visibility of the certificate makes it a better option than the OV if you’re looking to pay.
4. Transport Layer Security (TLS)
When looking up SSL certificates you might come across TLS certificates. TLS is an updated and more secure version of an SSL but you don’t see it mentioned often because most companies call their TLSs SSLs as the latter has become an all-encompassing phrase for both.
In short, if you buy an SSL you’re likely getting a TLS in disguise.
Where can I get an SSL certificate?
Now you’ve seen how important SSLs are, and how you need to have one no matter what website you own, I’ll show you how easy it is to get one for free.
By far the quickest and easiest way to get an SSL is via your WordPress host. Every WordPress website needs hosting anyway, so you may as well make the most of their technical setup rather than faffing about setting up an SSL in some roundabout way.
If you don’t yet have WordPress hosting, I’ll suggest a few of my favourites now:
- If you’re just starting out SiteGround hosting starts from £2.75 a month. For this price you can host 1 website, and you get 10GB of space and bandwidth which supports 10,000 visits per month.
- WP Engine prices start at $29 (around £21). On paper, the main difference between this and SiteGround hosting is that you get a bandwidth capable of supporting 25,000 visits per month.
- If neither of those hosts takes your fancy there’s always the £9.99 option from UK-based 34SP. You get 1 website with 25GB of disk space and ‘unlimited’ bandwidth. The reason I put unlimited in quotations is because they say as long as you’re uploading content along the lines of other users you won’t be charged for it.
There are hundreds of hosts out there, but it’s best to choose a WordPress-specific host as they’re best set up to host your WordPress site and give more tailored support.
All reputable WordPress hosts will allow you to easily install a free DV SSL from Let’s Encrypt. Some will do it by default.
If you want an OV or EV SSL you can buy one from your WordPress host and they’ll install it for you.
How do I install an SSL certificate?
We’ve already covered the most complicated parts of SSLs: what they are, why everyone needs one and where you can get one. Installing a free Let’s Encrypt SSL is so easy it’s almost insignificant.
I’m going to use SiteGround as our example here. Like most WordPress hosts, they make it easy to install a free Let’s Encrypt DV SSL when you use them as your web hosting provider:
- Most providers have a hosting control panel – such as cPanel – which gives the user a graphical interface from which to control the site.
- To manage your Let’s Encrypt certificates log into your cPanel → Security tab → Let’s Encrypt.
- Here you will see your active certificates where you can install, cancel and enforce HTTPS for your site.
- SiteGround automatically renews your certificate every three months so you don’t have to.
It’s that simple. If you have any trouble at all, all of the hosting companies I mentioned above (SiteGround, WP Engine and 34SP) offer great support so just get in touch and they’ll steer you in the right direction.
Get yourself an SSL ASAP
Users are becoming more and more aware of how important it is to protect their data and with Google clamping down on HTTP sites it’s more important than ever that you install an SSL.
The good news is that they’re free so there’s no reason for you not to have one. Reputable WordPress hosts make this incredibly easy for you and I highly recommend hosting your site with either SiteGround, WP Engine or 34SP if you don’t already.
If your current web host isn’t concerned about SSL certificates, it might be time to look elsewhere because change is coming and you don’t want to be caught on the losing side.
If you need any further help installing an SSL or figuring out where to get one, feel free to contact us.
I hope this post has shined some light on their importance!