SSL Certificates and HTTPS – do you need them?

Graphic to illustrate website security via SSLWhat is HTTPS?

HTTP (Hyper Text Transfer Protocol) is the means by which your web browser (Google Chrome, Internet Explorer, Microsoft Edge, Firefox, Safari etc.) communicates with a website you are visiting. HTTPS (Hyper Text Transfer Protocol Secure) is basically an HTTP connection that is secure because information (for example, if you complete an enquiry form or purchase goods on the website) that is transferred between your web browser and the website is encrypted and can’t be intercepted by hackers.

How is the information encrypted?

HTTPS uses special security technology that creates an encrypted link between a server (such as that hosting the website you are visiting) and the “client” (in this case your web browser), but the link could also be between a mail server and mail client such as Outlook. This security technology is provided by Transport Layer Security (TLS) or its predecessor Secure Sockets Layer (SSL), although both are generally referred to as SSL.

What is an SSL Certificate?

An SSL Certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology. An SSL Certificate connects a domain, server or host name with the organisation’s identity (business name) and location. It is installed on the web server hosting the business’ website where its function is to establish a secure session with browsers so that all traffic between the website server and the web browser will be secure.

Is it obvious if a website has an SSL Certificate?

Image of a browser address line showing a secure website with httpsYes, all the major browsers show a closed padlock in the browser bar when you are connected to a website via a secure connection, and the website’s URL will be prefixed by https:// (for example, https://www.fionastoreydesign.co.uk). Google Chrome now states “Secure” beside the locked padlock on the browser bar.

If you are not connected via a secure connection the browser bar will show an open padlock.

Google Chrome is now marking websites that handle payments or login data and do not have an SSL Certificate as “Not Secure”, and will eventually label all websites that are not HTTPS as “Not Secure”, thus emphasising the situation to website visitors.

Who needs SSL?

If you collect any sensitive data via your website, particularly bank or credit card details, but also other personal data such as address, date of birth that could be used for identity fraud, you should definitely have an SSL Certificate on your web server and your website should be converted from HTTP to HTTPS. This is also the case for websites having login facilities for access to any part of the website.

If you take payments on your website, but these are handled entirely by PayPal, all personal information is entered on the PayPal website so it is not essential for your website to be HTTPS.

However, even if you don’t collect such information you may want to consider to converting your website to HTTPS. As far back as 2014, Google announced that they had changed their algorithms to give a slight advantage to sites that use SSL. Furthermore, most people surfing the web have limited understanding of internet security, and seeing an unlocked padlock or, if they are using Google Chrome, “Not Secure” in the browser bar, may discourage them from exploring your website. It could even impact on their trust in your business as a whole – if you are careless about website security what does that say about other aspects of your business?

Lastly, if your website is built on an online platform such as WordPress, whereby you (or your web developer) login to a control panel to update your website, bear in mind that you have a login system on your website. This means every time you login to a non-secure website, your unencrypted username and password is transferred between your browser and the web server. This could be intercepted by hackers who at the very least could cause damage to your website.

What do you need to do to convert your website to HTTPS?

Firstly you need to obtain an SSL Certificate or ensure that one is installed on your website server. This is done through your website hosting company. There is a huge variation in cost between hosting companies. Some include the facility in their more premium hosting packages, whilst others charge an annual fee for providing the certificate. The hosting company we use now has SSL included on their latest servers at no additional charge.

Once you have a valid SSL Certificate on your website you need to change the address of your website from http://______ to https://______. As well as the pages and posts, it is important that all internal links (e.g. to images or downloads that are uploaded to your website) are changed as any remaining http links will cause the browser bar to show mixed content. How you do this will depend on the platform on which it is built.

Finally, search engines such as Google will have cached pages and other content as http and not https. If someone clicks through to your website from search results they may get a non-secure connection, so you will need to think about how you can force the search engines to index the HTTPS version of your website.

How can we help?

We offer a service for converting HTTP WordPress websites to HTTPS. We can also provide a quotation for transferring the hosting of  your website to the company. Further details are available here.

What about Extended Validation SSL Certificates?

You may also have heard Extended Validation (EV) SSL Certificates mentioned. These are used for HTTPS websites and software to prove the identity of the legal entity controlling the website or software package. Obtaining an EV SSL Certificate requires verification of that organisation’s identity by a certificate authority. Web browsers show the verified legal identity prominently in their user interface, either before, or instead of, the domain name. If you install software from a manufacturer that has an EV SSL Certificate, the verified legal identity will be displayed to you by the operating system (e.g., Microsoft Windows) before proceeding with the installation. An EV Certificate does not enhance the security of a data transmitted between a website and browser over and above a standard SSL Certificate.

When should an Extended Validation SSL Certificate be used?

EV SSL Certificates should be used for websites where identity assurance and visible trust is particularly important. High profile websites, such as major brands, banks or financial institutions, that are likely to be targeted for phishing attacks, should always have an EV SSL Certificate. However, any website that collects data or handles logins or online payments may also benefit from the greater trust provided by this higher level of SSL.

Speak Your Mind

*

Visit Us On TwitterVisit Us On FacebookVisit Us On Google Plus