Business Guide To SSL / Secure Sockets Layer
We get it: for all the business leaders out there, spending your time and energy on nitty-gritty tasks (such as securing your website with SSL) is just one of many things on your to-do list. But here’s what you need to know: in this day and age, consumers are savvier than ever; they’re also less likely to click on dubious links or visit dodgy sites online. Investing in in your website is a cornerstone of effective digital marketing.
Bearing this in mind, it’s important for you to get an SSL certificate for your website, so that your customers can browse your website with peace of mind. We know it’s a bit of a chore, but think of it this way: if your customers don’t trust that your website is legit, how can you expect them to make a purchase from your online store, or even convert to a lead?
What is SSL?
If you’re not 100% clear on what SSL is, don’t sweat it—you’re not the only one. In a nutshell, SSL refers to the standard security technology for establishing an encrypted link between a web server and a browser. By using this link, you can be sure that all the data which is passed between your browser and a web server remains private and confidential.
Let’s break this down and explain SSL using a real-life example. Let’s say you’re browsing a marketing blog and you decide to fill in a form to get a copy of the free ebook that they’re offering.
Assuming the website is insecure, a hacker can intercept your data the second you enter your details and submit the form. Now, if you’re simply providing your email address, this might not be a huge deal—but imagine the same thing taking place on an online banking portal, and hackers gain access to your internet banking password or other confidential data.
Now that’s cause for worry, right?
On the other hand, when you visit a website that’s SSL-encrypted, hackers won’t be able to intercept your data.
Here’s how it works:
Your browser forms a connection with the web server, and the SSL certificate binds your browser and the website’s server (or hostname) together. Because the binding is secure, no one (other than you and the website you’re looking at!) will be able to access the information which you submit to the site.
We’re not going to go into the details, but as an extra layer of security, even if a hacker were able to access this information, they wouldn’t have the private key necessary to decrypt it.
The History of SSL: How It Evolved Over the Years
SSL (Secure Sockets Layer) is a protocol that ensures secure communication over the internet by encrypting the data exchanged between a user’s browser and a website. The evolution of SSL has played a critical role in enhancing internet security and fostering trust between online businesses and their customers.
Here’s a look at the history and evolution of SSL:
Early Beginnings of SSL: The 1990s
The concept of SSL was introduced by Netscape Communications in 1994 as a way to secure online transactions, particularly for e-commerce websites. The first version of SSL, SSL 1.0, was never released publicly due to security flaws that were discovered before it could be implemented.
In 1995, SSL 2.0 was introduced, which was the first widely used version of the protocol. SSL 2.0 enabled encryption of data during transmission, making it more difficult for attackers to intercept or tamper with sensitive information like credit card numbers or personal details. However, SSL 2.0 had significant security weaknesses that led to the development of a more robust version.
SSL 3.0: The First Significant Improvement (1996)
In 1996, SSL 3.0 was released, addressing many of the vulnerabilities found in SSL 2.0. SSL 3.0 became the industry standard and laid the foundation for modern encryption practices. With improvements in encryption strength and security features, SSL 3.0 played a key role in securing online banking, e-commerce, and email communication.
Despite its advancements, SSL 3.0 also eventually became outdated as technology and cyber threats evolved. The increasing capabilities of hackers and the demand for stronger encryption made it clear that SSL would need to be further updated.
The Birth of TLS (Transport Layer Security): 1999
As the need for stronger security measures grew, SSL was replaced by TLS (Transport Layer Security) in 1999. While TLS is technically a separate protocol, it is often referred to as SSL, and the terms are used interchangeably in common usage.
The first version of TLS, TLS 1.0, was based on SSL 3.0 but included stronger encryption algorithms and better protection against vulnerabilities. TLS continued the work of SSL by providing a more secure and efficient way to protect data during transmission, ensuring that sensitive information remained private and secure.
TLS 1.1 and 1.2: Improvements in Security (2006-2008)
Over the years, the TLS protocol underwent several updates to keep up with emerging security threats. In 2006, TLS 1.1 was introduced, which addressed weaknesses in TLS 1.0. Then, in 2008, TLS 1.2 was released, offering further improvements in cryptographic security, including support for more advanced encryption algorithms and better mechanisms for data integrity.
TLS 1.2 became widely adopted across industries, becoming the standard for secure communications on the web. Many websites and services transitioned from SSL 3.0 and TLS 1.0/1.1 to TLS 1.2 in the years that followed, especially as major browsers like Google Chrome, Firefox, and Internet Explorer began to phase out support for older versions.
The End of SSL: Phasing Out Older Versions (2014-Present)
As online security threats evolved, SSL 3.0 and even earlier versions of TLS were no longer considered secure. In 2014, a vulnerability known as POODLE (Padding Oracle On Downgraded Legacy Encryption) was discovered in SSL 3.0, which prompted a faster phase-out of the older SSL versions across the internet. Web browsers, websites, and web services began dropping support for SSL 3.0, urging the adoption of TLS 1.2 and later versions.
In 2018, the Internet Engineering Task Force (IETF) officially deprecated SSL 3.0, marking the end of its use in securing online communications. Today, SSL is a term used to describe certificates and encryption protocols, but it is TLS that ensures secure communication.
The Shift to TLS 1.3: A Modern, Faster Protocol (2018)
In 2018, TLS 1.3 was released, bringing several significant improvements to security, speed, and privacy.
Some of the key features of TLS 1.3 include:
- Stronger Encryption: TLS 1.3 uses only the most secure encryption algorithms and removes outdated and less secure options.
- Reduced Latency: The handshake process in TLS 1.3 is streamlined, reducing the time it takes to establish a secure connection.
- Improved Privacy: TLS 1.3 encrypts more of the handshake process, preventing eavesdropping on data such as the website you are visiting.
- With these advancements, TLS 1.3 has become the preferred protocol for securing online communications, and its adoption is steadily increasing.
SSL Certificates Today
While SSL as a protocol is no longer in use, the term “SSL certificate” is still widely used to refer to TLS certificates. These digital certificates are essential for websites to encrypt data and establish trust with users. Modern SSL/TLS certificates are used to secure everything from e-commerce websites to email communication, and their presence is vital for establishing credibility online.
In recent years, with the rise of HTTPS (Hypertext Transfer Protocol Secure) as the standard for all websites, SSL/TLS certificates have become crucial for SEO rankings, as Google uses HTTPS as a ranking signal. Furthermore, browsers like Google Chrome and Firefox now warn users when visiting websites that don’t have a valid SSL/TLS certificate, making them an essential part of any modern web presence.
The evolution of SSL into TLS represents the ongoing battle to secure online communications against growing cyber threats. What began in the 1990s as a simple encryption tool has become a crucial part of the modern internet, with robust encryption and security standards that protect sensitive data from hackers. As technology continues to advance, SSL and TLS will continue to evolve, ensuring that internet security remains a top priority for users and businesses alike.
What are the 3 types of SSL?
SSL (Secure Sockets Layer) certificates are essential for securing data exchanged between a website and its visitors. They ensure that sensitive information, such as passwords and payment details, is encrypted during transmission. There are three main types of SSL certificates, each providing different levels of validation and security. Here’s a breakdown of the three types:
1. Domain Validation (DV) SSL
- What It Is: Domain Validation SSL certificates are the most basic type of SSL. They only verify the ownership of the domain, ensuring that the individual requesting the certificate owns the website. There is no verification of the business or identity behind the website.
- How It Works: After requesting a DV SSL certificate, the certificate authority (CA) will check the domain’s ownership by sending an email to the registered domain contact. Once verified, the certificate is issued.
- Best For: Small websites, personal blogs, and businesses that don’t require high levels of validation or sensitive transactions.
- Pros: Quick and easy to obtain, cost-effective.
- Cons: Offers the lowest level of trust, as it only verifies domain ownership.
2. Organization Validation (OV) SSL
- What It Is: Organization Validation SSL certificates offer a higher level of security and trust compared to DV certificates. These certificates verify not only the domain ownership but also the legitimacy of the organization behind the website.
- How It Works: The CA will verify the organization’s details, such as its physical address and registration with government authorities. This process is more comprehensive and may take longer than DV validation.
- Best For: Medium-sized businesses, e-commerce websites, and organizations that handle sensitive customer data.
- Pros: Provides higher trust by verifying the business behind the website. Visitors can view the organization’s name in the certificate.
- Cons: Slightly more time-consuming and expensive than DV certificates.
3. Extended Validation (EV) SSL
- What It Is: Extended Validation SSL certificates provide the highest level of security and trust. The CA performs a rigorous verification process to confirm both the domain ownership and the legal, physical, and operational existence of the organization.
- ow It Works: The CA conducts a detailed background check on the business, including verifying legal documents, the physical address, and the authority of the person requesting the certificate. Once verified, the certificate is issued, and the website’s URL will display a green padlock icon and the organization’s name in the browser’s address bar.
- Best For: Large corporations, financial institutions, and websites that handle sensitive customer information like online banking and shopping.
- Pros: Offers the highest level of trust and security, which is visually represented in the browser (green address bar with organization name).
- Cons: More expensive and takes longer to issue compared to DV and OV certificates.
The type of SSL certificate you choose depends on your website’s needs, the level of trust you wish to establish with your users, and the type of data you’re handling. While DV SSL certificates are sufficient for simple websites, businesses dealing with sensitive transactions or customer data should consider OV or EV SSL certificates for enhanced security and credibility.
What are the challenges of SSL?
While SSL certificates are crucial for securing online communications, they do come with a few challenges:
- Installation and Configuration: Setting up SSL can be complex, especially for large websites. Ensuring that the SSL certificate is properly installed and configured across the entire site is vital to avoid security vulnerabilities.
- Costs: Depending on the type of SSL certificate (DV, OV, or EV), costs can vary significantly. Extended Validation (EV) certificates, in particular, can be expensive, which may be a barrier for smaller businesses.
- Maintenance and Renewal: SSL certificates typically expire within one or two years, meaning they require regular renewal. Failing to renew an SSL certificate can result in security warnings for visitors and even loss of trust.
- Mixed Content Issues: After installing SSL, websites may encounter “mixed content” problems when some resources (such as images, scripts, or videos) are still loaded over HTTP instead of HTTPS, potentially reducing security.
- Performance Impact: Although minimal, the encryption and decryption process associated with SSL can slightly impact website load times, particularly for websites with a lot of traffic or large data sets.
Despite these challenges, SSL remains a fundamental part of maintaining trust and security online, and overcoming these issues is essential for protecting both users and businesses.
What is HTTPS?
Now that you’re up to speed with SSL, let’s talk about HTTPS.
HTTPS refers to Hypertext Transport Protocol Security, and sites whose URLs start with HTTPS (as opposed to HTTP) are secured with SSL.
Most web browsers including Chrome, Internet Explorer, and Firefox display a green padlock icon in the address bar to indicate to their users that a HTTPS connection is in effect.
What does SSL have to do with SEO?
SSL has been associated with SEO for a long time now—it was back in 2014 when Google pushed out algorithms which favoured SSL-secured sites for the first time. Back then, SSL only had a small impact on SEO, and while HTTPS websites did experience increases in their rankings, these weren’t anything major.
Subsequently, Google webmaster trends analyst Gary Illyes came out to state that the boost that HTTPS provided might serve as a tie breaker, assuming that all else was equal.
Here’s how he phrases it:
“With the HTTPS ranking boost, it acts more like a tiebreaker. For example, if all quality signals are equal for two results, then the one that is on HTTPS would get … or may get … the extra boost that is needed to trump the other result.”
What this means is, if your website and your competitors’ sites are neck-to-neck in all other factors (i.e. loading speed, title tags, quality of content, and all that jazz), then whether your sites are SSL-secured will be the determining factor in which site gets ranked first.
In other words: yes, SSL can help give you that extra edge!
NOTE: According to Search Engine Land, as of July 2018, Google Chrome will mark all sites without an SSL certificate (non-HTTPS) as “non-secure”, meaning that upon entry, a visitor will be shown a warning page.
SSL SEO case studies
In a study on search engine ranking factors by Brian Dean, SEMRush, Ahrefs, SimilarWeb, and MarketMuse, it was concluded that HTTPS and higher search rankings were “moderately correlated”. Here’s a visual representation of their findings:
Image from Backlink.com
How to get an SSL certificate for your website
First things first: determine what type of SSL certificate you need and how many certificates you need. The types of certificates depend on the level of security that you desire and the size or complexity of your website(s), whereas the number of certificates you need depends on how many websites you have (i.e. one certificate is needed per domain).
For the vast majority of business owners, a standard SSL certificate will do the trick. But if you have multiple product lines under your belt (each with its own domain and subdomain), then you’ll need to get multiple SSL certificates.
On top of that, certain industries (such as finance or insurance) come with specific requirements when it comes to SSL certifications—read up on this and make sure you know exactly what type of certificate you need.
How much do SSL certificates cost?
If you’re a startup working with highly limited resources, it’s possible to get a free SSL certificate from platforms such as Let’s Encrypt.
One caveat, though—these certificates have a pretty short lifespan and they expire every 90 days. If you do get a certificate from Let’s Encrypt, be sure to keep an eye on your certificate expiry date, so that you can renew it when necessary.
Otherwise, SSL certificates generally cost from $50 (for a single domain) to a few hundred dollars (for multiple domains). The average certificate will be valid for one to two years, but there are longer-term certificates that are available (although these will naturally be pricier as well).
Where should you get your SSL certificate from?
The short answer: get your certificate from anywhere but Symantec!
Here’s the backstory: SSL certificates issued by security giant Symantec used to be popular, but late last year, Google declared that it would soon be deprecating Symantec-issued certificates in Chrome. True to its worth, Google started labelling websites with Symantec-issued certificates as unsafe when it pushed out build 66 of Chrome in April 2018.
Upon visiting websites with certificates issued by Symantec, Chrome users will now receive a warning message that states that their connection is not private and that someone may be trying to steal their information.
Image from StackOverflow.com.
In order to get to the website, users will have to click on “Advanced” and acknowledge that they would like to proceed despite the site being unsafe. As you might imagine, the multiple warnings would put off most users from clicking through and result in lower traffic for the website.
Here’s where the situation gets tricky: this problem will also affect websites with certifications that are issued by an intermediate organisation, but still use Symantec as their root of trust. This includes but isn’t limited to certificates by Thawte, GeoTrust, and RapidSSL.
Before you purchase an SSL certificate, do some digging and make sure that its root certificate authority doesn’t go back to Symantec!
Installing SSL with WordPress plugins
Successfully purchased your SSL certificate? Depending on your certificate provider, you might have to take on the task of installing the certificate on your website and making sure it displays properly. The good news: if you’re using WordPress to power your site, then there are various plugins which can help guide you through the process. Read on to find out more!
Really Simple SSL
Really Simple SSL is a user-friendly tool which helps you migrate your website to SSL. Using this plugin, you’ll be able to install your SSL certificates across all your sites and verify that Chrome doesn’t display any warnings that might make your traffic take a hit.
Insecure Content Fixer
Once you’ve installed your SSL certificate, use Insecure Content Fixer to find and fix hard-coded references to HTTP pages.
WP Force SSL
Last but not least, use WP Force SSL to ensure that everyone who visits your page sees the secure version that you’ve set up. This plugin basically forces all your traffic to HTTPS, and ensures that all pages load securely.
BONUS: Free SEO SSL Scanner
If you want to err on the side of caution, check out this free SEO SSL scanner tool by Linksspy.com. Consider this: after analyzing the HTTPS settings of the top 10,000 domains, the team over at AHREFS found that only 10% of these websites has an ideal SSL / HTTPS set up (some were missing canonical HTTPS versions, some were using temporary instead of permanent redirects, and the list goes on.)
Setting up your SSL certification is a pretty complicated process – so take a few more minutes to ensure that your certification is configured properly using the Search Engine Optimisation (SEO) SSL scanner!
Next steps
Want to get your hands on a complimentary expert SEO agency audit by the Online Marketing Gurus? We’ll audit your website, tell you how you’re performing in comparison with your competitors, and come up with a 12-month digital success plan for you.