When a website is using an SSL certificate your web browser will display a padlock in the address bar and it may go green. (The start of the web address will also normally change from HTTP to HTTPS with the S standing for secure). This shows that the site is secure and OK to use. Most websites currently don’t use an SSL certificate. The ones that do tend to be ecommerce websites or sites which need to be particularly secure such as banks. This is going to change in 2015 with a number of organisations pushing for all sites to use SSL.
What is an SSL Certificate?
SSL stands for Secure Socket Layer. SSL is a method for establishing secure and encrypted connections between two computers or services such as your laptop and your bank’s website (in practice many websites and online services now use the TLS protocol rather than SSL but most people still refer to it as SSL).
To install an SSL certificate on a website the website owner puts a small piece of code on their server known as a key. They then give this key to a certificate authority who verify the ownership and identity of the website. Once they are happy that the site is genuine they give the site owner another key to install on their server. When you try to connect to the website your web browser will check the keys to make sure that the site is genuine and safe to use. It will verify that the site is really who it says it is and can start an encrypted connection. At the moment most websites on the internet don’t use SSL and are therefore, by definition, not secure.
2015 – The year of SSL
A lot of security and technology experts think it is wrong that we currently have a situation where most websites are not secure. It makes life a lot easier for hackers, spammers and phishing scams and makes everyone who uses the internet more vulnerable. Therefore a number of organisations are planning to take action this year to increase the number of websites using SSL.
Google have been making a big move towards making their web services more secure in the last year (partly in response to the Snowden revelations about NSA and GCHQ spying).
92% of UK web searches are done through Google and as most businesses know the higher your website appears in the Google rankings the more business you will get. Back in August 2014 Google publically announced that they are using whether or not a website uses HTTPS as a ranking factor (in practice you need an SSL certificate in order to use HTTPS). This means that if you do not have an SSL certificate Google won’t rank your website as highly in the search results.
Google also control the Google Chrome browser. Chrome is currently the most popular browser online with around a 45% market share. Along with most other browsers Google Chrome will currently warn you if there is a problem with the SSL certificate on a website and try to stop you from using the website. It has been reported that Google Chrome may now start showing similar warnings whenever you go to a site without an SSL in an attempt to put people off using less secure websites.
Mozilla are a not for profit organisation who are behind a number of popular online tools including the Firefox browser, Thunderbird email client and Filezilla FTP client. Firefox is currently the third most popular browser on the web with about 15% to 20% market share. Mozilla have indicated that they may follow Google Chrome in warning Firefox users whenever they visit a website without an SSL certificate.
Mozilla are also working with the Electronic Frontier Foundation (EFF), Cisco and others on an initiative called Let’s Encrypt. Launching in summer 2015 Let’s Encrypt has the stated aim of encrypting the entire web through the use of SSL certificates. One of the reasons many sites don’t use SSL certificates at the moment is that they are relatively expensive and a pain to install. The Let’s Encrypt initiate promises to make SSL certificates free and much quicker and easier to install.
What does this mean for my business website?
If you want your website to rank well in Google you need to have a valid SSL certificate. If you want your website to be secure you need to have a valid SSL certificate. If you don’t want to run the risk of your customers getting scary warning messages when they visit your website you need to have a valid SSL certificate. In short if you are running a business website in 2015 you should be looking at getting an SSL certificate. There are three basic types. From cheapest to most expensive they are:
Domain Validated – the certificate authority will check that your server and domain name match
Organisation Validated – the certificate authority will check the server and domain name as well as your company details such as checking your Certificate of Incorporation, phone number and email addresses.
Extended Validation – the certificate authority will do more checks on who owns the domain name, who owns the website, who is acting on behalf of the company and the legal paperwork around the website and organisation.
Which type you need will partly depend on what your website is doing. If you are selling online, taking card payments and collecting people’s details then you may want to go for Extended Validation. If your website just provides information about your business then a Domain or Organisation validated certificate should be enough.
How much will this cost?
Depending on what type of certificate you go for and who you buy it from they can cost anywhere between £50 and £500. However this is not the only cost to consider. At the moment most people will need to get their web designer or developer to install an SSL certificate for them. It normally involves messing around on the command line of servers which is not something everyone feels comfortable doing or will have access to. Even though Let’s Encrypt are planning to simplify this process it still looks like it may be a command line job to install their certificates. Once the certificate is installed there may also be additional work required on your website to make sure all images and downloads have secure paths and that all of your links and navigation still works properly.
If you go for an Organisation or Extended Validation certificate then the paperwork can take several days to complete so this also needs to be considered as part of your costs when making your website secure.
So, while SSL certificates are increasingly looking like a necessity for all business websites in 2015, it is not going to be cheap. Hopefully the Let’s Encrypt initiative will simplify things somewhat (and reduce the cost) but we will have to wait and see by how much.