What is an SSL, and do you need one?

Ok, bear with me here, because we all know that security standards are hardly the most thrilling thing to read about, and “SSL Certs” could not sound any more dull and technical. On the other hand, learning how to protect your website and customer data early on could one day save your business. Customers tend to like knowing that their information is safe in your hands, particularly if you're collecting any kind of payment information, so you really need to read this article. Oh, and for those of you happily heading for the back button, because you don’t sell anything on your site? Chances are you have an email signup box on your website, that also collects personal information like names and email addresses. That is very much considered personal data, even if it’s less risky than credit card details. So let’s just jump right in, shall we?

What is an SSL?

SSL stands for Secure Sockets Layer, but let’s not get bogged down in technical terms. It is essentially a small file attached to your website, that provides an added layer of security.

How does it work?

First, let’s look at what happens on a normal site without an SSL. Say you sell cameras online – when a customer visits your website and makes a purchase, they log in on their computer and give you their name, address, and their credit card details.

All that information doesn’t just stay on their computer – when they enter it into their browser window, they are actually sending it from computer to computer, until it reaches the destination server (essentially just another computer that stores information for your website). Unfortunately, those details are readable to any computer between your customer’s computer, and the destination computer.

Think of it like mailing an unsealed envelope, containing all your personal bank account details, from your hometown to somewhere on another continent. It’s going to pass through a lot of hands, and yes it may be fine, but you are definitely taking a big risk that someone untrustworthy may be getting a golden opportunity to steal a lot of valuable information.

An SSL is the equivalent of sealing that envelope, sending it via registered post (so that you can be 100% sure it’s going to the intended recipient), and converting all those bank account details into an extremely complicated code, that only the right recipient has the key to unlock.

So... why is it important to have an SSL Certificate?

You read the last few paragraphs, right? If you are running an ecommerce site, you definitely want to make sure your customer details are secure. Of course, if users get redirected to another site to make payments – for example, if you use Paypal to collect their credit details – then you don’t need to worry about their payment information, because that won’t actually have anything to do with your website. All the information will pass through Paypal’s servers instead.

However, that still leaves the information that is collected on your site, like their address and telephone number. Even websites that don’t actually ship products, but simply require users to login or enter their email addresses, should really be taking steps to make sure this information is secure. Despite all the warnings of what a terrible idea this is for personal security, lots of people tend to use the same username / password combination for multiple sites – including ones that DO store their payment details. So even if the data that could be stolen from your site may seem relatively harmless, I strongly advise purchasing an SSL.

STILL not convinced? How about the fact that Google uses the presence of an SSL to determine a website’s rank in search results: that’s right, having an SSL could be a useful SEO boost as well. So it’s a win for you, and a win for your customers

How do you get an SSL certificate?

Not all SSL certificates are created equal. Some cost hundreds of dollars to acquire and can take weeks to set up, others you can acquire with ten minutes effort and a $10 fee. You can even create your own self-signed SSL certificate, although these don’t tend to be very reassuring to your customers as they will usually see something like the following message:

ssl-warning

That’s why for the most part, you are best off purchasing one from a Certification Authority (CA). CAs will already be known to most browsers, and therefore SSL certificates issued by them will not be subject to browser warnings. It’s also a little more reassuring to your customers: although both types offer encryption, with the self-signed certificates, your customers only have your word for it that you are who you say you are. Third party identity verification, which is essentially the main added value of purchasing from a CA, is generally a little more trustworthy.

Although there’s nothing stopping you going for one of the big guys in the CA industry like Symantec, and spending four figures on an SSL with extended validation, for most small to mid sized businesses there is simply no need for it. Sites like GoDaddy or SSL.com offer simpler certification for approximately $60 / year, and this is generally adequate if you are not a major international company.

If you’re still not sure what type of SSL certificate is right for you, try visiting SSL Shopper to compare different providers and types of certification. Still confused? Feel free to drop me a line and I’ll do my best to answer all your questions personally.