What are SSL Certificates & Why Do You Need One?
Ever wondered why some websites begin with “http://” and others with “https://”? That “s” stands for “secure,” and it indicates that the site you’re browsing is using a protected, encrypted connection.
SSL certificates are small data files that encrypt data packets as they are sent through the Internet. SSL is often used to transfer data logins and credit card information online.
You’ve probably heard of 128-bit encryption, or seen the green address bar of an EV SSL certificate, and you’re wondering “Do I need an SSL certificate on my site?” Most online shoppers are very careful and want to know that their information is safe. Using an SSL certificate provides two important things:
- Encryption of sensitive data like credit card numbers and personal information
- Some assurance to your customers that you are trustworthy (the process of getting an SSL certificate can’t guarantee this, but it can make it more likely which is part of the reason why visitors have this perception)
These are very important benefits and, while not all websites require an SSL certificate, it is essential for certain types of sites. To find out if you need an SSL certificate for your site, answer these questions:
Is my site an e-commerce site that collects credit card information?
For most e-commerce sites, you absolutely need an SSL certificate! As an online merchant, it is your responsibility to make sure the information you collect from your customers is protected. This will shield you and your customers by making sure that no one can intercept and misuse their credit card information.
Your customers are providing you with very important and personal information that allows access to their hard earned money. If an identity thief gets access to your customer’s credit card information because you didn’t take the necessary precautions, it can be devastating to you and to your customer. Your customers need to know that you value their security and privacy and are serious about protecting their information. More and more customers are becoming savvy online shoppers and won’t buy from you if you don’t have an SSL certificate installed.
If you accept credit card information and store it in a database so you can process it using an offline POS machine or charge it manually on your merchant account’s website, then you definitely need an SSL certificate to secure the credit card data as it is transferred. You also need to be very careful with the data when it is stored on your servers. Learn more about PCI Compliance and SSL and the requirements of protecting stored credit card information.
Do I use a 3rd party payment processor?
If your e-commerce site forwards your visitors to a 3rd party payment processor (like PayPal) to enter the credit card information then you don’t need an SSL certificate because your website won’t touch the credit card information. Just make sure none of the credit card details get entered when the address bar still shows your domain name. Note that PayPal allows you to accept the credit card information on your site or forward visitors to their site. If you accept the credit card information on your site, you need an SSL certificate.
Do I have a login form?
If your users enter a username and password to login to your site without an SSL certificate, an attacker can easily see their username and password in clear text. This would allow someone else to impersonate your visitor, but it allows for a far more dangerous possibility: Because users often use the same password on many sites (including their bank accounts), an attacker can potentially compromise many other accounts. If you let people store a password with you, you must take responsibility for protecting it, even if the security of your own site isn’t critical.
It is true that most login forms don’t currently use SSL. This means that most login forms are vulnerable. With the number of cheap SSL certificates available, it is becoming more and more worthwhile to secure login forms. If you want to forego the SSL certificate without having to worry about securing the login information, you can also use OpenID, Facebook Connect, or another technology that lets users log in on a another site and return to your site. Learn more about creating a secure login form.
Do I need my own SSL certificate or can I use a shared SSL certificate?
Many hosting providers will include a shared SSL certificate that you can use instead of buying your own. As long as it doesn’t give any errors on your site, this will be great for securing login information or other sensitive information. However, a shared SSL certificate doesn’t provide as much assurance to your visitors because it doesn’t include your organization or website name in it and may display a warning.
In short, if your website is a collection of pictures of your goldfish Rudy with a small blog and doesn’t require visitors to log in, you probably don’t need SSL. If you have a login form or send or receive private customer information, then you need SSL. If you run an e-commerce website where people provide you with credit card information directly on your site, you absolutely need SSL.
A website that has an SSL certificate ensures all website traffic between your web server and user’s browser is secure and cannot be read. When your website has an active SSL certificate the application protocol changes from HTTP to HTTPS.
To see if your website has an SSL certificate, simply view your website’s URL to see whether it contains HTTP or HTTPS.
WHAT ARE HTTPS AND SSL?
HTTPS is really just the sum of a set of protocols: HTTP, SSL (or TLS), and TCP. As a part of the HTTPS protocol, SSL is a secure way to send encrypted information between a server and a browser. Sites that use HTTPS safeguard their visitors’ information, and also earn better rank in search engines—even Google has prioritized sites using HTTPS.
Using public key cryptography (or asymmetric cryptography), any information that’s sent between the site (the user interacting via a browser) and the site’s server (with the database, operating system, etc.) is unreadable if it’s intercepted by another party. That can be anything from your username and password, credit card information, to other important data.
Only the intended recipient with the key to unlock that encrypted data can read it, keeping hackers and thieves out of the loop. Without it, any computer between a user and the server can theoretically intercept that information. Also, hackers can recreate or impersonate websites to lure users into entering sensitive information—something that’s easy to do if a user isn’t looking for that verification an SSL certificate can provide.
Are SSL and TLS the same thing?
Before we talk more about SSL certificates, you’ve probably seen SSL and TLS (Transport Layer Security) used interchangeably. So, is there a difference between SSL and TLS? The answer is basically no, because they’re both encrypted protocols and TLS is essentially a newer version of SSL. (SSL version 3.0 served as the basis for the first version of the TLS protocol.) TLS is a session layer protocol between the Application and Transport layers, and SSL is a high-level encryption for the transmission of encrypted data. With SSL, while an outside party may still access your data, without the encryption key they won’t be able to read it..
Thankfully technology advancements are never too far behind, and having a Secure Socket Layer (SSL) certificate will not only ensure your customers’ safety, but will improve your position on Google and generate more sales.