Website encryption changed a lot in 2018, so I’ve updated this post with the current state of website encryption and SSL certificates.
First, a quick explanation. We’re talking about the lock icon that’s displayed next to the URL in your address bar (see note at the end of this article about how this is changing).
The padlock (and the use of “https” instead of simply “http”) announces the presence of a Secure Sockets Layer (SSL), which encrypts the connection between your browser (Firefox, Safari, Chrome, Internet Explorer) and the website you’re visiting.
“SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.” via DigiCert.
To set this up, you would purchase an SSL certificate for your website URL and install it on your server. SSL certificates contain a pair of keys (public and private) used to establish a secure connection between the viewer and the website. If you’d like a rough analogy for how this works, click here.
Do You Need SSL? Yes.
Several years ago, when I originally wrote this post, I recommended purchasing SSL for the following reasons:
- if you collect personal information through forms
- if you collect credit card information/sell products
- if customers log in to your website
- if you have restricted content
- if you wanted a potential SEO boost
Part of the reason for this criteria was because the average certificate cost an additional +$99 per year for hosting costs. It was a good practice to have it, but for a small business with nothing more than service options and contact forms it didn’t seem necessary.
However, in February 2018, Google announced that it would begin marking all HTTP sites as “not secure” in Chrome beginning in July 2018. Since Chrome is currently the most popular Internet browser, this is a big deal. It’s not like your site suddenly became less secure, it just looks that way, particularly to someone who might not understand the nuance of browser security warnings.
We include SSL certificates free of charge with every website we build.
No longer a nice option; SSL is now a must have for every small business on the web. This is also a great example of the power an industry behemoth has – if Google even announces they’re thinking about a change, everyone stops and listens. In this case, it’s a good thing, because it’s making the web more secure.
Important Note About the SSL Icon:
Google is changing the style of the padlock icon. “Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure.”
This means that instead of looking for a padlock, you won’t even have to think about a secure connection unless you get the red “not secure” notice (in Chrome). This is beginning October 2018.