What Is an SSL Certificate and Why You Should Care
As you’ve traveled around the web in your favorite browser, you may have noticed that some websites have “http://” at the beginning their address, while others have “https://” at the start of theirs.
Or, you may have noticed some websites show a green padlock in the address bar. What do all of these things mean? (Hint: the “S” stands for “Secure.”)
The differences in what you see in your browser’s address bar are quite important to the security of the data you are sending and receiving while connected to a website. If you’re not aware of how secure your connection to a website is, you are running the risk of having your valuable personal and business information stolen by the bad guys.
In this article, I’ll explain what an SSL certificate is, and why seeing that extra “S” in your favorite website’s address is a good thing. I’ll also share how you can protect any websites you own by installing an SSL certificate to protect your readers, just as Pixel Privacy does. Look up in the address bar, and you’ll see that beautiful green padlock, assuring you that your connection to my website is secure.
I’ll also show you how to tell whether or not the website you’re connected to offers secure browsing (for all of the most popular browsers), and what you can do to ensure you’re protected, even if your favorite website isn’t secure.
What is an SSL Certificate?
An SSL (Secure Sockets Layer) certificate is a digital certificate that certifies the identity of a website, allowing you to be sure the website you’re connecting to is the one you think you’re connecting to.
The SSL certificate also indicates that the information you send and receive from the website is encrypted, protecting it from any third party that may be attempting to monitor your online activities to steal your personal and business information.
An SSL certificate includes:
If a website has an SSL Certificate installed on their website, you’ll see a green padlock in your browser’s address bar. The website’s URL will also include “https://” instead of “http://”. In addition, depending on which browser you’re using, the word “Secure” might also display in the bar.
The screenshots shown below demonstrate how a secure website’s address bar will appear.
Apple Safari (which shows a silver padlock unless you click in the address field):
How Does a Website’s SSL Certificate Protect Me?
When you are connected to a website with an SSL certificate installed, your connection, and the information transmitted to and from the website, are encrypted.
What this means is that if anyone is “eavesdropping” on your internet activity, they can’t tell what your activity on that website is. This means they can’t harvest your login credentials or glean any of your account information.
HTTPS/SSL protection is an excellent security solution to protect sensitive personal and business information such as banking, credit card or shopping information. That is why banking, credit card and shopping websites make use of SSL to protect their customers’ information.
However, SSL certificates are also being used by other types of sites, such as social networking sites, to secure their members’ browsing sessions.
SSL is an excellent solution for securing:
The best explanation I’ve ever heard to demonstrate the difference between connecting to a website that doesn’t use SSL to protect your connection and a website the offers SSL protection is that of a conversation in a restaurant.
If you’re sitting at your table having a discussion with a friend, anyone sitting nearby can eavesdrop and follow your conversation. However, if you and your friend conduct your conversation in an unfamiliar language - let’s say, Latin - nearby diners will likely be unable to follow the conversation (unless they hung out with Julius Caesar.)
SSL Certificates use public key cryptography. This type of cryptography uses two keys, a public key and a private key, made up of a long string of randomly generated numbers.
The web server uses the public key to encrypt data, while the private key is used by the user’s web browser to decrypt the information for displaying in the browser. The browser is the only thing that can decrypt the data.
Since the browser is the only thing that can decrypt the information from the server, even if a hacker or other interested party intercepts the information being transmitted and received, they will not be able to read the data, as it is locked by the cryptographic code.
The process works like this:
- The server sends a copy of its public key to the browser.
- The browser then creates a session key, encrypted with the server’s public key, and sends it to the server.
- The server decrypts the encrypted session key to get the symmetric session key.
- This creates a secure channel for the browser and server, as only they know the symmetric session key created for that specific session. (If the same browser connects the next day, the whole process would be repeated to create a new session key.
What all this means is that even if someone else is monitoring your internet session, they’ll be unable to steal any of your information. However, you should be advised that while an observer can’t detect your activities, they can still see which websites you are connecting to.
In April 2017, it was reported that Internet Service Providers would be allowed to monitor their customers’ online antics and then sell that information to advertisers to be used for targeted advertising.
UGH! If you’re concerned about this, and you really should be, you should subscribe to a VPN service, which will encrypt your entire internet connection, effectively shielding your online travels from the eyes of outsiders.
Users who regularly connect to the internet through unprotected Wi-Fi hotspots, like those found at your favorite coffee shop or your local Sam’s Club, should also be concerned as to which websites aren’t protecting them via an https:// connection.
Open hotspots are attractive to hackers as ways to intercept other users’ information, putting your personal info at risk. This is why you should always use a VPN to connect to Public Wi-Fi Hostpots.
What if My Favorite Website Doesn’t Offer SSL Certificate Protection?
If your favorite website doesn’t offer SSL Certificate protection for your connection, the first thing you should do is to never buy anything from that website or share sensitive personal or business information with the site.
Next, send an email to the site’s webmaster, customer support department, or guy or gal who gets things done, urging them to get an SSL certificate for their site.
Short term, Chrome, Firefox and Opera users can make use of the Electronic Frontier Foundation’s (EFF) excellent HTTPS Everywhere browser extension.
HTTPS Everywhere encrypts your communications with most websites, even if they do not currently support HTTPS encryption.
The extension rewrites requests to HTTP sites as HTTPS, encrypting all of the information that is sent to and received from the websites. This is also handy when navigating through websites that may offer HTTPS for some parts of their website, but don’t offer it in all parts, or link to other sites that don’t offer SSL certificate protection.
Sadly, Internet Explorer and Safari users are left out of the fun, as HTTPS Everywhere is not available for their browsers directly from the EFF. However, IE users do have an alternative available, as an independent development team has released an IE extension based on the HTTPS Everywhere project.
Safari users are SOL (simply out of luck), as EFF says the Safari extension API doesn’t provide a way to perform secure rewriting of HTTP requests to the more secure HTTPS method. While there have been rumblings about some development in this area, so far, nothing of substance has been released.
Should I Get an SSL Certificate for My Website(s)?
Readers who have their own website(s) - and who doesn’t these days? - are probably wondering if they should get an SSL certificate for their website. The decisive, end-all answer to that question is: “Maybe.”
Is it an E-Commerce Site?
Do you sell products or accept credit card payments directly on your website? If so, then you definitely need to put SSL in place to encrypt and protect your customers’ credit and debit card information.
That said, you might not need to put it in place on your entire website - perhaps only on the store or checkout pages. However, site-wide SSL protection does make your users feel a bit more confident about the privacy protections offered on your site.
Do You Offer Memberships on Your Site?
Do you offer memberships to your website?
It doesn’t matter if those memberships are free or paid, if you require your readers to log in, perhaps to participate in forum discussions or to access premium content, you should put SSL in place to keep that login information safe from prying eyes.
Is Your Site a Blog Fan Site or Another Type of ‘Vanity Site’?
If your website is simply a blog where you post items of interest to yourself (and hopefully others), you probably don’t need an SSL Certificate. If you’re not selling products or memberships directly from the site, there really isn’t much to protect (no offense).
What Other Reasons Are There to Enable SSL?
Other reasons for changing your website to site-wide SSL protection include:
Visitors who visit your website to make a purchase or pay an invoice will be reassured when they see that little green padlock while they navigate through your site. This allows your customers to feel like their credit card and other information is protected from the bad guys.
Future Proof Your Site
Sure, you may not currently have need for SSL encryption on your website, but if you’re planning to grow your brand or business by offering products or memberships in the future, you’ll already have SSL in place to protect the whole shebang.
Get a Small Boost in Google Search Rankings
Google began giving websites that use HTTPS encryption by default a slight boost in their search result rankings. While it isn’t a huge bump, a slight bump is better than no bump.
Are There Different Types of SSL Certificates?
Yes, there are different types of SSL certificates. The main types include single, multi-domain, wildcard and shared certificates.
A Single Domain Certificate allows for certifying one fully qualified domain name on a single certificate. This means a certificate used for a single domain - let’s say, www.pixelprivacy.com - will allow security for any pages on www.pixelprivacy.com/. This makes it easy for a small to medium-sized business to protect their website.
A Multi-Domain Certificate (MDC) allows owners to secure multiple websites using distinct domain names. An MDC can be used to secure “domain1.com,” “domain2.com,” “domain3.com” and so on. Up to 100 domains can be protected by a single certificate. Customers can add or remove domains at any time.
MDCs offer the advantage of making it easier to track SSL Certificate expiration dates, as opposed to a single certificate for each domain. MDCs also usually allow for cost savings when compared to buying individual certificates.
A Wildcard SSL Certificate allows users to secure a single domain and unlimited subdomains under that domain name. That means a wildcard certificate will protect “www.pixelprivacy.com,” “users.pixelprivacy.com,” “store.pixelprivacy.com” and so on. Any subdomains added in the future will automatically be secured.
A Shared SSL Certificate has the advantage of usually being free, as your web hosting company is allowing you to use one of their SSL certificates.
While a shared certificate may be free, it might not be acceptable for many users, as shared SSL usually results in users seeing an URL like: “https://secure.webhostingcompany.com/~yourusername.” This could make your visitors a bit uncomfortable since they won’t be seeing your usual URL, and they may see warnings in their browser.
How Do I Purchase and Install an SSL Certificate?
When you’re ready to purchase and install an SSL Certificate on your website, there are a number of steps you’ll need to follow to make it all work. Depending on whether you self-host or use a web hosting provider, and who your hosting provider is, the process can either be a bit involved or simply a matter of a couple of clicks of a mouse.
The price you pay for an SSL certificate will range from free (yes, there are free certificate issuers) to hundreds of dollars. The price depends on where you buy the certificates and what type of certs you need. (See above for the various types of SSL certificates.)
While I will cover the basic steps required to buy and install an SSL certificate on your website, I highly recommend contacting your webmaster and/or web hosting service, as they will be able to tell you the exact process for successfully installing the certificate for your unique set up.
WikiHow also offers an informative “how-to” on installing an SSL Certificate on various server setups.
Overall, the steps are as follows:
Sounds simple, right? There may be some bumps along the way, but it is a fairly straightforward process. As long as you have everything prepared ahead of time, it will go smoothly.
While it will probably be easier, and in many cases cheaper, to obtain your SSL certificate through your web hosting provider, there are other options. Certificate authorities you can obtain a certificate from include: Comodo, DigiCert, Entrust, Network Solutions and many more.
As I’ve stated before, pricing can vary greatly according to the vendor and the type of certificate you need, so be sure to shop around the reputable sources.
Also, there are free options for SSL certificates. Check with your web hosting provider or visit the Let’s Encrypt website.
Let’s Encrypt is a free Certificate Authority backed by some big names in the tech industry, which may just be sufficient for your needs. The website makes it simple to get started and lays out the steps you need to follow to install a certificate on your website.
Many web hosting providers work with Let’s Encrypt to provide easy-to-install SSL certificates. For many of the providers, installing SSL protection for a website is simply a matter of a few clicks of the mouse cPanel.
And, as easy as it is to enable SSL on compatible providers, it’s just as easy to turn off if you discover your site isn’t working correctly with SSL enabled.
What Have We Learned?
As we’ve seen, an SSL Certificate is an important tool for protecting your privacy, as well as your personal and business data, from prying eyes. Websites that offer https:// connections, protected by an SSL Certificate, indicate that they are dedicated to protecting their customers’ activity while on their site.
It’s simple to tell when a website you’re visiting is protected by an SSL Certificate, as you simply look for the little green padlock or the word “secure” in your browser’s address bar. (If you’re not sure, look at the screenshots from earlier in this article, which show how each browser displays whether or not a website is secure.)
We’ve taken a look at the different types of SSL Certificates and what each of the types of certificates is best suited for when it comes to protecting a single website, or multiple websites, with the same certificate.
We’ve also learned how to get your website ready to install an SSL Certificate, and where we need to go to apply for one. In addition, we’ve covered how to install the certificate. Plus, if you’re on a budget, it’s good to know that there are ways to get a free certificate.
By reading this article, I believe you now have enough information to know when you’re protected by SSL while on other folks’ websites and how to protect visitors to your own websites.