I hope you are the kind of person that checks whether a website has a green lock in its URL address bar – before you enter any personal information, like credit card data on checkout pages?
But what about the data you enter at login or in a contact form? Did you know that they are not securely transferred as long as a website doesn’t use SSL?
If there is a green padlock next to a https://-address, this basically indicates the existence of an SSL certificate for this website.
This means, the information exchanged between a web browser and the website’s server is encrypted.
In my last article, I discussed why you should make a switch from http to https with your website. In this article here, I will help you understand some of the terminologies of this topic so that you can comprehend the impacts on your website and online business. I will then discuss your options when it comes to actually setting up an SSL certificate. And I’ll finally throw some best practices and tips at you.
3 Reasons for Securing Your Website with HTTPS and SSL
In my previous article, I talked about the fact that Google has been calling for a ‘HTTPS Everywhere‘ since 2014. Since January 2017 it enforced this call by making SSL a ranking factor for Search Engine Optimization (SEO). And from October (2017) on, your website will actually be penalized in its SEO ranking, if it’s not secured by an SSL certificate.
Why do you think is that?
Google sees 3 reasons for securing your website with HTTPS and SSL. These are:
☞ Authentication. – Authentication addresses the issue of verifying the ownership of your website.
☞ Data Integrity. – Data Integrity is all about whether the data on your site has been interfered with – during transit.
☞ Encryption. – Encryption refers to the security of communications between the client and the server so that it cannot be read by a third party.
Tech Lingo Explained
“HTTPS is HTTP over TLS.”
– Is this tech lingo for you ???
I know, these abbreviations sometimes make an understanding really hard. Just as its “deciphering” does. So, let me try and explain what all this actually means.
HTTP is the name for a protocol in computer science that describes how data is being transferred between a browser and a website. Once upon a time, someone had the idea to name this procedure HTTP. And now it is this way. Officially, HTTP stands for HyperText Transfer Protocol.
TLS stands for Transport Layer Security. What it does, it encrypts the communication between the web browser of a visitor (on one end) and the server of the visited website (on the other end).
Every single connection is uniquely secured.
Let’s make an example, and let’s assume you are accessing my website with your browser (which you do right now). If you find more than one article interesting (let’s say 2) and have opened these in several tabs, you now established 2 connections between your browser and my server. Each of these two tabs use a unique key to access my website. My server and your browser negotiate the details of this security setup (algorithm, cryptographic keys) at the start of the session. That’s the TLS handshake.
Before you even see one letter on your screen appear, these details are negotiated.
Known eavesdropping techniques or man-in-the-middle attacks are suspended from this.
HTTPS contains an additional S in its name, which stands for Security. It means, that a level of security has been added by encrypting the data in transfer. The data in a transfer is no longer transferred in plain old text, but by a big string of random characters. That’s called encryption.
http:// means, this is a website.
https:// means, this is a secured website. It is using SSL to encrypt data and authenticate the website.
SSL is often named in the same breath as TLS. SSL stands for Secure Sockets Layer and is actually the predecessor of TLS. It provides communication security over a computer network. The terms SSL and SSL certificates have been used for some years now to point out that there is “security inside”.
To use SSL on a website, a certificate needs to be installed on the host’s server. This is done by the web host or provider.
An SSL Certificate is made up of two keys: A ‘Private Key’ and a ‘Public Key’. These keys are literally the “key” to having a secure website. The certificate is uploaded to your web host’s server and then broadcasts the security transfer protocol.
SSL Certificates expire after a certain time period and must be re-issued. Typically, this is after 1 or 2 years.
Setting Up An SSL Certificate On Your Website
To conform to Google’s standards, you will have to switch your website from http to https. You achieve this by setting up an SSL certificate. There are basically three ways to do that.
SSL Certificates from your Web Host
You get an SSL certificate from your web host. Many web hosts today offer SSL certificates for free as part of their packages. It was not always this way. But today, many hosts have to offer them for free in order to maintain competitiveness in the market. It is the easiest way to get an SSL certificate and you usually can use their support in case you need a helping hand.
Free SSL Certificates
You can, of course, use an external provider of SSL certificates. SSL certificates differ in what kind of validations are included. Which one you should choose depends on your business. They also come with different price tags.
Let’s Encrypt is a free SSL certificate provider, that some web hosts provide a one-click installation for. But I need to warn you here, as it has its limitations. If you want to learn more about them, I recommend you read Chelsea McGuiness’ article, in which she reveals some of the downfalls of this offer.
Premium SSL Certificates
Alternatively, there are premium certificates that cost more than $1000 per year.
If you have high revenues and really need the extra warrants such an expensive SSL certificate brings, then go for it. For most online entrepreneurs, a standard SSL certificate will do the job. If you are on a track to upgrade your business, this might be the way to go, though.
You can spot the differences in SSL certificates in the URL address bar in this image.
Whilst free SSL certificates only show a green padlock in the address bar,
Premium SSL certificates will show the company name next to the green padlock.
Both connections are secure, but they differ in what kind of validations are included.
When sorting through the different kinds of SSL certificates available, here are the 3 different characteristics you want to look out for in your decision process:
1. Level of Encryption – recommended is 256 bit
2. Browser Recognition – 99% is recommended
If you want to add this layer of security and would like a helping hand because of all this tech lingo, you may consider reaching out to someone who is comfortable with technologies for modern businesses.
I help online entrepreneurs in taking the stress out of tech and setting up their business so that it is safe and reliable.
Let’s discuss your needs in a free Discovery Call!
Best Practices & Tips
When you are finally done with switching your website from http to https, can you sit back and have a cup of coffee? – Yes, sure!
But you want to do a few checks before moving on with other tasks on your list.
1) While the domain of your website is not changing, the address of your website has changed. It has gone from http:// to https://.
From a technical perspective, there are two different ports that are involved here. Traffic to your website may experience a drop until Google re-indexes your site. I, therefore, suggest you make sure your redirects work properly and you submit a new sitemap.
2) I have stumbled over this one. I am using an analytics service called Metricool, to get a few insights about website traffic and social media engagement. The moment I did the switch from http to https, they were no longer able to track my website. I noticed a big plunge the next time I got their evaluation. After making them aware of this plunge, they researched and let me know that because of my switch to https they didn’t get any more data in!
‘Of course!’, I thought to myself.
==> So, if you use any external analytics tools or any other tool that rely on the precise address of your website, make sure you adjust that in their settings.
3) Test whether the configuration of SSL on your website is done properly.
At Qualys SSL Lab you can test that. It grades the web server configuration (A, B, C) and tells you what should be changed to be more secure. Typically, these changes need to be handled by your web host.
4) You installed SSL but didn’t get a green padlock next to your address bar?
If you see no green padlock next to your address bar in the browser, it means there is a problem.
Try Why No Padlock to find out why your page is not fully secure.
Over to You
I hope you found this article helpful. Not having an SSL certificate on your website will be penalized by Google from October 2017 on. Even if you only have a simple contact form on your website (which almost everyone has and should have), your online reputation will be affected by these new rules.
Got any more questions or unresolved puzzle pieces? You’re very welcome to use the comment section below or drop me a line if I can be of further help!