Website encryption changed a lot in 2018, so I’ve updated this post with the current state of website encryption and SSL certificates.
First, a quick explanation. We’re talking about the lock icon that’s displayed next to the URL in your address bar (see note at the end of this article about how this is changing).
The padlock (and the use of “https” instead of simply “http”) announces the presence of a Secure Sockets Layer (SSL), which encrypts the connection between your browser (Firefox, Safari, Chrome, Internet Explorer) and the website you’re visiting.
“SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.” via DigiCert.
To set this up, you would purchase an SSL certificate for your website URL and install it on your server. SSL certificates contain a pair of keys (public and private) used to establish a secure connection between the viewer and the website. If you’d like a rough analogy for how this works, click here.
Rough SSL Certificate Analogy
You (your computer/browser) knocks on the door of a website and asks if this is really the speakeasy-style cocktail bar that everyone’s been talking about or just the shady back door of a hotel. The bouncer (website server) responds that yes, this is the correct place, and here’s a secret passphrase to prove it (public key). Your browser checks that passphrase against a master list. If the name is a match and it’s not expired, you complete your half of the passphrase (private key) and the website lets you in, shutting out any spying eyes and allowing you to enjoy a cocktail in peace.
Where did you get the master list? It’s from the CA (Certificate Authority), which is the company the SSL certificate was purchased from.
Several years ago, when I originally wrote this post, I recommended purchasing SSL for the following reasons:
if you collect personal information through forms
if you collect credit card information/sell products
if customers log in to your website
if you have restricted content
if you wanted a potential SEO boost
Part of the reason for this criteria was because the average certificate cost an additional +$99 per year for hosting costs. It was a good practice to have it, but for a small business with nothing more than service options and contact forms it didn’t seem necessary.
We include SSL certificates free of charge with every website we build.
No longer a nice option; SSL is now a must have for every small business on the web. This is also a great example of the power an industry behemoth has – if Google even announces they’re thinking about a change, everyone stops and listens. In this case, it’s a good thing, because it’s making the web more secure.
Important Note About the SSL Icon:
Google is changing the style of the padlock icon. “Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as “not secure”, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure.”
This means that instead of looking for a padlock, you won’t even have to think about a secure connection unless you get the red “not secure” notice (in Chrome). This is beginning October 2018.
I hope this article was informative, practical, and gives you a decent idea of how SSL certificates work and why they’re now a must for every business. Keep in mind that while this is a best practice, it doesn’t mean that every website will abide by it. Always check for SSL when submitting credit card or personal information online. Thanks for reading and feel free to ask questions in the comments below.
If we built/maintain your website, you already have SSL. If you’d like us to send you an estimate to build a new WordPress site (or redesign an existing website), drop us a line here.