SSL Certificates 101 - Everything you Need to Know
What is an SSL Certificate?
SSL stands for Secure Sockets Layer. An SSL certificate authenticates a website’s identity and verfies the encryption of data. SSL certificates can be obtained through a certificate authority (CA), web hosting provider, or reseller. These digital certificates enable a site to move from HTTP to HTTPS.
When you visit a website with an SSL certificate, the data sent between your browser and the web server gets encrypted. It ensures that the data you enter into a site (i.e. credit card number, address, or login information) is only read by the intended recipient.
Note: The SSL you hear about today is usually the newer TLS (Transport Layer Security). SSL was sunset due to the vulnerabilities, but TLS is often still called SSL. Throughout this article, we will use the term SSL for TLS.
How do I know if a website has an SSL certificate?
Any website you visit that has a url with HTTPS (hyper text transfer protocol secure) prefix instead of an HTTP ( hyper text transfer protocol), has an SSL certificate. SSL certified websites also have a lock icon in the beside the url. This indicates security. Some shops display this as a green or check mark on the bottom of their page that when clicked, displays their certificate.
If I scroll to the bottom of ebay.com, I see a check mark.
I click on the checkmark and am presented with the SSL certificate for the site.
How does SSL work?
Each SSL certificate contains a pair of keys, the public key and the private key. The moment you visit the website with an SSL certificate, a “handshake” occurs. The handshake establishes a secure connection between your web browser and the web server through a key exchange.
What Happens during the Handshake?
A few things happen:
- The web server gives the web browser its SSL certificate and the public key to validate its identify
- The web browser sends the session key
- The web server decrypts the session key with its private key
- The web server and web browser generate a unique session key together during the handshake
- The unique session key is used by the web server and the web browser to encrypt the consumer data for the entire session
Will SSL Protect My Website?
While SSL protects the data of website visitors, it does not provide protection to the website. With SSL alone, a website is still vulnerable to malware infections, cross-site-scripting (XSS), DDoS attacks, SQL-Injection and more. The purpose of SSL is to protect the consumer’s data transmission, which it does. Website owners need to be aware that securing their website is a separate venture. Comprehensive website security should consider factors like malware scanning, a web application firewall, and hack remediation response time.
What if You Don’t Have SSL?
Poses Unnecessary Consumer Risk
Websites without an SSL certificate expose their viewers to the risk of data sniffing. When this results in stolen data, the relationship between the consumer and the business that owns the website suffers, as well as the business’s reputation. The risk to the consumer is not one-off either. The most recent data from 2021 shows the volume of stolen payment data more than doubled in Q2.
Discourages Web Traffic
Web browsers are not shy about letting consumers know when they attempt to visit sites that are not SSL certified. Browsers tag HTTP sites with warnings to increase consumer awareness. When users try to enter a site without an SSL certificate, they receive a message or pop-up to proceed with caution.
The url also sports a red yield icon with a “Not Secure” message that can alarm potential site visitors and make them think twice before accepting the risk of visiting an HTTP site.
Penalizes Search Results
In 2014, Google announced a change to their ranking algorithm that would factor in a website’s SSL certificate, and it has been in place since. Not having an SSL certificate can bump your website’s ranking from the first page to an obsolete ranking. This costs a business major visibility which impacts conversions and ultimately, the bottom line.
Where can I get an SSL Certificate?
There are CAs like Lets Encrypt that provide SSLs for free in the interest of creating a safer internet, but many still charge. Media Temple includes an auto-install and auto-renew SSL Certification in their security package at no additional charge. With cyber security awareness month in full swing, adding an SSL certificate to your website is low hanging fruit to do your part and #becybersmart.