This month marks an important milestone in the evolution of our web design business. From February onwards, we’ll be building all websites exclusively using the SSL protocol. This post will explain what SSL is (briefly) and why we believe all websites should be using it, without exception.
A (brief) Introduction to SSL
Ever notice when you browse some websites you get that little green padlock icon in the address bar, followed by a bit that reads https, rather than just http? Makes you feel all warm and fuzzy doesn’t it. Like you’re in the presence of something welcoming and trustworthy. Well, that green padlock is actually telling you that the people behind the website have gone to some lengths to 1) identify themselves and 2) ensure any data you enter into that website (think email address, password, credit card details etc) is correctly encrypted and looked after. These are safer websites and they all use an SSL Certificate of some description.
So what actually is SSL? Let’s get the dry bit out of the way. SSL (Secure Sockets Layer) is an industry standard technology that encrypts data transfer between a browser and a web server. What does that mean? Essentially, it makes data less susceptible to unscrupulous third parties who wish to steal it when you use a website.
More info on SSL in general can be found in our Information section, but all you really need to know is that SSL is a good thing and it makes your data safer.
Let’s move on. Quickly.
Types of SSL Certificate
There are three main types of SSL Certificate that you’ve probably already come into contact with:
Domain Validated Certificates (DV)
The cheapest and easiest option. This shows that the domain is registered with and verified by a trusted SSL provider. Prices range from free to around £100 p/a, depending on a few technical specifics. You’ll get the green padlock (some browsers show it as grey) and https (all browsers) in the address bar. We currently use this.
Organisation Validated Certificates (OV)
This costs a little more. Typically, from around £150+. These certificates require that some company info is first verified, along with domain and owner information. Again, you get the green padlock (some browsers show it as grey) and https, but on investigating the certificate, you’ll also see company info such as address and official company name. Facebook currently use this.
Extended Validation Certificates (EV)
Currently the highest class of certificate available on the market. You’ll need to pay at least £250ish+ to get one of these bad boys. But, crucially, your company would first need to be heavily vetted by the SSL-issuing authority. It can take anything from a few days to a few weeks to gain official verification due to these extended checks. You’ll get the green padlock, https and your company name will show in the address bar. Just like twitter:
So there are slight visual differences in the browser for each certificate, but the important thing to understand is that if you purchase a certificate from a reputable company the underlying tech for all three certificates will be the same. The level of security you get doesn’t differ – only the degree of background checking carried out on the company requesting the certificate.
Do I Need SSL?
Security of your website data may not be something you’ve often thought about. With a lot of website owners the focus is primarily on how it looks and whether it effectively achieves their business objectives. But if your website deals with sensitive data (information you wouldn’t want the bad guys to get hold of) in any way, then it is your responsibility to protect it. What constitutes sensitive data? Well, the obvious candidates are people’s bank details, email address, or physical address. But there are other things that need protecting. Here’s a short list:
- Bank details – as mentioned, if you deal with your customers’ bank details you really must use SSL
- Contact forms – if you have a contact form on your website so users can get in touch – that should be protected.
- Administration areas – if you manage your website from an admin area that you log into – that should be protected.
- Customer/Client Areas – if you allow your customers or clients to log into their own area on your website – that should be protected.
Benefits of SSL
SSL and https have gained a lot of press attention recently (at least in the worlds of web design and development). A likely contributor to this, as with many things that gain press attention, is Google. The search engine giant actually announced back in 2014 that they’d soon be using https as a factor in their search ranking algorithm. Something they don’t often publicise. But interest has snowballed more recently – possibly a result of the increasing options for cheaper or free SSL certificates offered by companies like Let’s Encrypt and, more recently, Amazon.
Money aside, the benefits of SSL and https vs regular http are growing for website owners.
- Data is encrypted and your users’ private information is therefore safer. Don’t forget that if you deal with your client’s data in any way, you are responsible for who it ends up with.
- Google will look upon you kindly for securing your website and you may benefit from improved rankings. Only slightly to begin with, but you never how these things will progress, particularly as they look to encourage more people to switch to the technology. So it’s a worthwhile pursuit.
- Websites with the green padlock induce trust. This is an indisputable fact. And it’s especially true of e-commerce websites. In a survey conducted by SSL provider GlobalSign, 85% of those surveyed indicated “they wouldn’t buy through a website where they weren’t certain their data was being transferred securely”. That survey was conducted a year and a half ago and people’s exposure to and understanding of the magic green bar will only have increased since.
- Some payment gateways require it. If you want to sell products directly from your website and use a payment gateway such as Stripe or WorldPay you will be required to use an SSL Certificate. Having one installed opens up your options and means you don’t have to resort to selling your product through an external provider (Etsy, for example), where you’ll have less control.
SSL All the Things. For Free.
As things stand, BuiltWith (a website and business analysis tool) identify less than 0.1% of the entire internet as using SSL. Of the top 1 million websites, that figures is still incredibly low at just 6.9%. Think about how many of those top websites might deal with sensitive data in some way and you begin to realise the importance of it.
The long and short of it is there are really very few reasons not to employ SSL on a website in this day and age. Speed and performance issues are often cited, but in my opinion are negligible when weighed against the benefits. The cost is being continually driven down by fantastic initiatives such as Let’s Encrypt. And the general consensus is that securer websites should be the default, not the exception.
We believe in the movement towards a more secure internet and will be doing our bit by only building websites with SSL Certificates installed as standard, from now on. We’re currently offering the strongest level of encryption available in the market today – the same technology as used on Facebook, Twitter and most banking websites. That may sound overkill for what you think you need, but why take the chance? Especially as, while others will charge for the luxury, we’re including it as part of the service :)