SSL Certificates and HTTPS: What You Need to Know

If you’re using Chrome 56 (or above), you might have noticed that some HTTP pages are marked as non-secure. This was introduced in January 2017, but only for pages that collect passwords or credit card data.

SSL Certificates and HTTPS: What You Need to Know

It’s part of Google’s plan to move to a more secure web. Eventually, they want to label all HTTP pages as “non-secure” and change the HTTP security indicator to the red triangle that is used for broken HTTPS connections.
SSL Certificates and HTTPS: What You Need to Know

Switching to HTTPS might be worth the effort after all. But how is this secure connection enabled? And what are the benefits? Let’s find out.

What is HTTPS?

HTTPS stands for HyperText Transfer Protocol Secure. The most obvious difference with HTTP is the “secure” part. The connection is encrypted, which prevents data from being read if it’s intercepted.

In order for this secure connection to work, both the sender and receiver use a code to encrypt or decipher the message. This process is done via an SSL certificate.

About SSL Certificates

SSL certificates are based on public-key cryptography.

This encryption technique uses two keys: a private key and public key (both are basically a set of randomly generated numbers). The public key is available in the public domain. If John wants to send a message to Carol, he can use Carol’s public key to encrypt it. The only way to decipher the message is by using Carol’s private key. If a hacker intercepts the message it will be unreadable, because he doesn’t have Carol’s private key to decipher it.

Types of SSL Certificates

At the moment there are three types of SSL certificates:

  • Domain Validation SSL
  • Organization Validation SSL
  • Extended Validation SSL

A Domain Validation SSL is the most basic version. It checks whether the SSL-holder has the right to use a specific domain. It’s relatively easy to use and doesn’t require extensive paperwork.

The Organization Validation SSL is based on the Domain Validation SSL, with the addition of some vetting of the organization. This information is shown when a user clicks the padlock in the address bar of his/her browser.

An Extended Validation SSL provides the highest security. The checks for this type of SSL certificate are very thorough (based on the strict EV Guidelines), and include:

  • Verification of the legal, physical and operational existence of the entity.
  • Verification of whether the identity of the entity matches official records.
  • Verification of whether the entity has exclusive right to use the domain specified in the EV SSL Certificate.

Which SSL certificate you choose is a personal choice. For a small business website, a Domain Validation SSL is probably sufficient. But if you’re securing a big online shop, the Extended Validation SSL might be a good investment. Why? Because this certificate enables a green padlock with the name of the organization in the address bar of your browser, which will reinforce visitors’ trust in your site.

The Cost of SSL Certificates

SSL certificates can be bought from several vendors (named “Certificate Authorities”), such as Symantec. They cost anywhere from $150 per year to more than $1,000 per year, based on the type of certificate and warranties.

But there’s good news: you can get a free SSL certificate from Let’s Encrypt.

SSL Certificates and HTTPS: What You Need to Know

Let’s Encrypt is an automated and open certificate authority, run for the public’s benefit. They are sponsored by big brands such as Mozilla, Cisco, Google and Facebook, which allows them to give people the digital certificates they need in order to enable HTTPS–completely free.

How to Install an SSL Certificate

If you’re lucky, your hosting provider with offer an SSL-installation wizard (or even better: a one-click install). Thanks to this you’ll be up and running in a matter of minutes. As HTTPS connections become more popular, more hosting providers will offer this service as part of their packages.

If that’s not the case, you’ll need to install the SSL certificate manually. This can be a lengthy process. Luckily, Mitchell Anicas from Digital Ocean has written an extensive guide on how to install an SSL certificate.

Advantages of HTTPS / SSL

Enabling HTTPS is a great idea because of the following advantages:

  1. Security: HTTPS is a secure data connection, which means that if the message is intercepted the data is unreadable without the proper key. This is crucial when your website manages users’ sensitive data.
  2. Trust: an SSL certificate can help improve the user’s trust in your website.
  3. Speed: switching to HTTPS can improve loading times.
  4. SEO: in 2014 Google started using HTTPS as a ranking signal. At the moment it’s only a very lightweight signal, but Google might decide to strengthen it in the future.

Things to Consider When Switching to HTTPS

Implementing an SSL certificate is not all rainbows and butterflies. There are some things to consider before taking action. Such as the time it takes to implement. Furthermore, an SSL certificate is only valid for a limited period of time. That means you’ll need to renew it from time to time.

And then there’s the cost. Sure, Let’s Encrypt offers free certificates, but they only provide the most basic version. If you want an Organization Validation SSL or Extended Validation SSL you still need to buy one.

Switching from HTTP to HTTPS can cause some SEO issues, mostly because of faulty links. This can be solved by a server level 301 redirect via the .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Conclusion

There’s no denying that HTTPS will continue to gain popularity in the future. Security and visitor trust are its main advantages, but let’s not forget the small boost in speed and search engine rankings.

Yes, you can get a free SSL certificate. But Organization Validation or Extended Validation SSLs will still cost you quite a bit of money. Furthermore, the implementation can be time-consuming and cause several issues.

So should you use HTTPS?

In my opinion; if you’re giving a website a complete make-over or building one from scratch, it’s definitely worth your time. HTTPS is part of the future of the web. But if your existing site doesn’t gather sensitive data from users, it remains optional.