SSL FAQ: What’s all this talk about security certificates, anyway?

We have been getting an increasing number of inquiries from our clients about website security certificates. In order to get accurate information out to everyone as expeditiously as possible, we have put together this list of frequently asked questions.

What is SSL?

The initials SSL stand for Secure Sockets Layer. The same technology or concept is also called a certificate, website certificate, or security certificate. People also often refer to this as https…with the “s” standing for “secure.”

OK…but what is SSL? What does it do?

In a nutshell, it’s a special set of instructions that allows your website to secretly communicate with each of your website visitors. It scrambles the information going back and forth between the user and the server so no unauthorized party can intercept and read that communication.

Does it work? Does it really make the communication secret?

Yes. If implemented correctly, the communication is absolutely secure. DigiCert claims that is would take on average 6.4 quadrillion years to crack one of their 2048-bit certificates on a normal desktop computer. Even if a hacker has a botnet of 1,000,000 desktop computers, you’re still looking at about four and a half billion years of processing time. Your cat videos are safe.

Do I need SSL on my website?

“Need” is a funny word. You are required by law to enable SSL if visitors submit sensitive or personal / private information to your website or if your website provides that information back to your visitors. This would include credit card numbers, social security numbers, bank information, insurance information, and so forth.

However…

It’s a good idea to do everything you can to protect the privacy of your visitors, customers, and clients. Apart from that, Google has publicly stated that they take security certificates into account when determining a website’s ranking. Also, the Chrome browser has already started warning users of insecure web forms whether sensitive information is being conveyed or not. Google is only going to increase the prominence and severity of those warnings in coming months & years…perhaps even extending them to the search results page. So, while you may not strictly speaking need a certificate, it’s a good idea to implement SSL if only to keep The Google happy.

How do I get SSL on my website?

Every site is different and will have unique steps and challenges–there’s no one-size-fits-all solution. Unless you’re exceptionally techy (in which case you will not be reading this article) you will need to get an I.T. professional involved. The best place to start would be with the company that runs the server upon which your website lives (your hosting provider). In addition, many agencies that design & build websites can also get SSL set up and working properly. If you need a recommendation, contact us and we can get you pointed in the right direction.

What does it cost to enable SSL?

Again, this varies widely with each website and it largely depends on your hosting provider. In some cases, certificates can be obtained and installed for free. In other cases, there might be a small fee of a few dollars for the certificate. In the most egregious cases, you could pay $1,500 per year for a certificate. You also may have to pay for the installation.

Why the big discrepancy in pricing?

It has to do with the type of certificate you are obtaining and the level of service the company is providing. Without going into a huge amount of detail, there are three kinds of SSL certificates–DV, OV, and EV. They all encrypt the communications in exactly the same way. The difference is that when you purchase the OV and EV certificates, the company from which you purchase them will go through a validation process to make sure that you are who you say you are and that your company is legit. In the case of an EV certificate, that validation process is quite extensive and can take up to two weeks to complete. Also, many companies offer special insurances with the purchase of the OV or EV certificates.

With a DV certificate, the company only verifies that you own the domain name and nothing else.

If you want to know more, you can read this page from GlobalSign or do a quick Google Search on the different kinds of SSL certificates.

Oh…also, the fancy little lock icon in the user’s browser address bar will change slightly with the different certificate types. With the EV certificate, you even get your company name in the address bar! WHEEE! (Check out PayPal for an example of an EV certificate…or Google for an example of an OV certificate.)

I want the free one. How do I get that?

Well, again, you need to get your I.T. professional involved. You also need to have a hosting provider that will allow SSL Certificates from the LetsEncrypt service. (Let’s Encrypt only offers DV certificates, by the way.) There are many popular hosts that do not allow the Let’s Encrypt service. Probably the most popular that do not support it are:

  • Hostgator
  • 1and1 Hosting
  • HostMonster
  • InMotion Hosting
  • Namecheap

I would stay away from these hosts listed above as well as the others that offer no support for the Let’s Encrypt service. (List linked below.)

There are a small handful of hosts that both support the Let’s Encrypt service as well as force SSL to be active by default on all new websites. Also, there are a HUGE number of hosts that support it and give you the option to enable it but do not enable SSL by default.

Full list of providers here.

It should also be noted that if your website lives on a dedicated server or a virtual private server (VPS) then you automatically have access to the Let’s Encrypt service even if your host is on that “not supported” list. If you don’t understand what all this means, don’t worry about it, “the I.T. guy (or gal)” will.

What else do I need to know?

Installing SSL on an existing website can be tricky…and it’s only marginally easier on a brand new website. Expect it to take a little bit to work out all the bugs. More than likely you will encounter pages on your site that will display mixed content warnings and other such errors after installing the certificate. This is normal and those bugs can be squished so just know that it’s more than likely going to happen. I wrote an article on switching over to SSL that might be helpful in this case.

There are also SEO best practices that need to be considered when switching over to SSL. That could be an entire article by itself. Don’t worry, we will guide you through it.

But, wait!  I still have more questions!

OK…no problem. Give us a call or leave a comment below and we’ll get you sorted out!

Jerod Karam

Jerod Karam is Director of Technology at Netvantage Marketing, an online marketing company specializing in SEO, PPC and social media. Jerod consults with internal and external clients on all matters technical and is responsible for most of the technical work and custom online tools the company uses.

Leave a Reply

Your email address will not be published. Required fields are marked *