Thursday, May 17, 2018

What is an SSL Certificate and How It Can Help Your Website

You might be wondering: “Why is my website showing up as an unsecured site in Google Chrome?”

The answer is because you don’t have an SSL certificate that converts your pages into secure, encrypted HTTPS pages.

Some people may think that there’s no need for an SSL certificate if your website isn’t used to store or process sensitive information, or that an HTTP protocol is enough.

That may have been the case a decade ago, but it simply doesn’t hold true today.

When visitors see the “Not secure” tag that comes along with the lack of an SSL certificate, they’ll be less likely to stay on your site or interact with your company.

Or buy anything from you at all.

In this post, we’re going to cover what an SSL certificate is and how it can be used to help your website.

So what does SSL stand for, anyway?

What is an SSL Certificate?

SSL certificates are data files that add a cryptographic key together with a company’s details. SSL stands for Secure Sockets Layer.

In layman’s terms, SSL certificates bind a domain name, server name, or hostname together with a company name and location.

When they’re installed on a web server, they activate a padlock that shows that a secure connection is present between a browser and the web server.

These padlocks, which are added to most of your favorite websites, look something like this:

SSL padlocks in chrome

They signify to site visitors that the owner of a website is encrypting connections on the page, which makes for a more secure experience.

Usually, SSLs can be used to secure transactions, logins, and data transfer. In today’s world, it has become commonplace for social media sites to have SSL certificates, too.

Twitter has one:

twitter SSL padlock

Facebook has one:

facebook SSL padlock

And even Reddit has one:

reddit SSL padlock

When you open an SSL certificate up, it usually looks something like this:

SSL certificate information

This particular certificate lists who it was issued to, who it was issued by, and the dates that it is valid from and to. This one is valid until 2019.

That way, site visitors won’t have to second guess if your web page is safe, secure, or legitimate.

The bottom line? If you want your site to be trustworthy, you’ll need an SSL certificate.

Here’s how an SSL certificate works.

How Does an SSL Work

When you access a website, the browser or server requests that your web server reveals it’s identity.

A web server with an SSL certificate sends the browser or server a copy of it for review.

Then, the browser or server will check to determine whether or not it trusts the certificate. If it does, it relays the message back to the web server.

Then, the web server sends back a digitally signed acknowledgment and an SSL encrypted session begins.

Encrypted, secured data is then shared between the browser or server and the web server.

how SSL works

The benefits to using SSL certificates are huge. For starters, SSL makes browsing safer for your customers, builds trust and boosts conversions, and protects both internal and customer data.

They also help you rank higher in Google since they’re made possible with HTTPS.

But what is HTTPS and why is it important?

Why HTTPS?

HTTPS stands for Hypertext Transfer Protocol Secure. It is an application layer protocol that was created to transfer and receive data over the internet.

In comparison to plain old Hypertext Transfer Protocol, or HTTP, HTTPS encrypts all communication between a browser and a website.

difference between http and https

HTTP does not. The added S in HTTPS is much more than a letter.

This means that data sent through an HTTPS connection is converted into a nearly impenetrable code to prevent unauthorized hackers from getting their hands on it.

And even if they do, they won’t be able to understand it or make sense of it. Encryption can take a simple message, like “hello” and turn it into an unidentifiable code, like “6EB6957008E03CE4.”

An application layer protocol doesn’t discriminate when it comes to how information is transferred between sources, so your site visitors will all be treated with equal security.

HTTPS is commonly used by e-commerce websites in order to ensure secure transactions for customers when purchasing products.

Let’s take a closer look at the importance and advantages of the HTTPS protocol that SSL certificates provide.

The Importance and Advantages of SSL

Google’s main goal is to provide users with secure browsing options. That’s why they’re encouraging site owners to make the switch over to HTTPS.

In fact, Google is now marking all non-HTTPS sites as unsecure.

http not secure

And if you’re selling products or services from your site, an HTTPS seal of approval could help you sell even more.

secure credit card payment

Think about it: would you hesitate if you were ready to buy something and you saw a header like “Secure payment?” Probably not.

But if you saw something on a checkout page mentioning that things were “not secure,” you’d probably be gone faster than a toupee in a hurricane.

Once you have an SSL certificate and an HTTPS protocol, don’t be afraid to show it off to your customers and boast about it to help boost sales and transparency.

HTTPS can also help your SEO and conversions.

How SSL Can Help Your SEO And Conversions

Google rewards URLs with HTTPS protocols for being secure, which gives them a minor SEO boost in comparison to sites without them.

This means increased rankings and more referral data.

Referral data is preserved when it passes through HTTPS sites, which can also help to increase your search engine placements.

ssl advantages

Rankings will continue to increase over time if your site operates on HTTPS since visitors can always rest assured that browsing on your site is secure.

But there are several different types of SSL certificates you should be aware of.

Types of SSL Certificates

When choosing an SSL certificate, you need to pick the one that works best for you and your site.

There are three main types of SSL certificates.

  1. Domain Validated (DV SSL) Certificates
  2. Organization Validated (OV SSL) Certificates
  3. Extended Validation (EV SSL) Certificates

DV SSL certificates are issued almost immediately, and no company paperwork is required to obtain one.

No company identity is displayed on this type of SSL certificate other than encryption information, but it is enough to activate the “secure” padlock on your URL.

activated padlock secure https

While there’s no questioning that your information will be encrypted when visiting a site with a DV SSL certificate, there’s no way for customers to verify who is on the other end of the data.

These certificates are the easiest and quickest to get, and they’re also the cheapest. But they’re the least secure of all SSL certificates.

If you just have a small personal website or forum that needs some added encryption, a DV SSL certificate is a solid choice.

OV SSL certificates are more secure than DV SSL certificates but less secure than EV SSL certificates. They’re also usually right in the middle of the two when it comes to cost, as well.

They are issued within a couple of days and require you to:

  • Authenticate your organization
  • Prove your right to request a certification

When you obtain an OV SSL certificate, the “secure” padlock will be added to your URL, as well as some kind of site seal, depending on where you purchase it from.

ssl provider seals

If you have a large, public-facing website that handles some non-sensitive transactional data on a regular basis, an OV SSL is a good certificate to go with.

EV SSL certificates, on the other hand, require several steps before they can be obtained. To get an EV SSL certificate, you must usually:

  • Verify the legal existence of your company
  • Verify that the identity of your company matches official records
  • Verify that your company has the right to use the domain listed in the EV SSL certificate
  • Verify that your company has authorized the issuance of the SSL certificate

EV SSL certificates are harder to get in comparison to other types, but they are more secure than DV SSL and OV SSL certificates.

You know exactly who is on the other end of the website with this kind of certificate.

These certificates are usually issued within several days and are the most expensive to obtain. The company name is displayed in the URL next to the “secure” padlock.

digicert SSL

Your address bar may also turn green.

If you are an e-commerce site or you handle credit card payments and other sensitive data regularly, you need an EV SSL for maximum security.

How do you know what the best SSL certificate is for you?

What’s the Best SSL Certificate?

While all three different kinds of SSL certificates are better than no certificate, you have to pick the one that works the best for your budget and site needs.

Most sites that offer SSL certificates, like GoDaddy, Cloudflare, and Comodo, offer all three.

Let’s analyze GoDaddy first.

GoDaddy

All SSL certificates from GoDaddy include SHA-2 and 2048-bit encryption, which is about the strongest out there on the market today.

With a certificate from GoDaddy, you’ll be able to protect unlimited servers, reissue your certificate as many times as needed for free, and reach 24/7 security support.

You’ll also receive as much as $1 million in liability protection and a 30-day money back guarantee.

A DV SSL is $59.99 a year, an OV SSL is $103.99 per year, and an EV SSL is $99.99 per year.

comparison of types of SSL

With Cloudflare, you can get a base SSL for a more affordable price.

Cloudflare

With Cloudflare, you can get the base SSL service for free. There’s no hidden details or fine print.

For more advanced features or SSL certificates, you’ll need to upgrade to a paid plan.

All that you need to implement Cloudflare’s SSL services is create an account and update your site’s DNS records.

Cloudflare’s HTTPS options provide additional services beyond regular HTTS that can help you boost page loading times and site speed.

Cloudflare serves your site visitors a cached version of your site to help make it faster for users.

However, SSL with Cloudflare only encrypts the connection between site visitors and the cached version of your site.

It doesn’t encrypt the connection that exists between your site and your server.

cloudflare ssl

This means that your server connection could still be hacked.

If you want a full SSL certificate complete with encryption for your server, you might have to pay as much as $200 per month per domain for Cloudflare’s Business plan.

cloudflare ssl pricing

Other features included in the Business package include a web application firewall, prioritized email support, and guaranteed 100% uptime for your website.

Comodo SSL certificates are a bit more secure than Cloudflare.

Comodo

A DV SSL certificate from Comodo will set you back about $70.95 per year. A warranty level of $10,000 is included.

OV SSL certificates can cost anywhere from $88.95 to $427.95 per year, depending on the one you choose. Warranty levels are anywhere from $50,000 to $250,000 for this SSL.

An EV SSL is $199.50 per year and includes a warranty level of $1,750,000.

Every SSL certificate from Comodo features 128/256 bit encryption, 2048 bit root keys, unlimited reissuance and a 30-day money back guarantee,

Each certificate features HackerGuardian PCI scanning service, as well.

hacker guardian comodo ssl

Once you decide on the SSL certificate that works best for you, get ready to install it.

How to Install an SSL Certificate

Installing an SSL certificate might sound intimidating, but it isn’t anything to be afraid of. Start off by purchasing the SSL certificate of your choice.

1) Purchase the SSL certificate

Be sure to only purchase an SSL certificate from a reputable source.

After all, you don’t want to compromise your company’s security, so don’t just purchase an SSL certificate from anywhere.

You will probably need to upload a copy of your Certificate Signing Request (CSR) when you order the SSL certificate of your choosing.

A finished CSR should look something like this:

begin ssl certificate request

You can find a list of all CSR creation instructions for nearly every platform and operating system here.

Once you’ve purchased your SSL certificate, you’re ready to activate it.

2) Activate it

The method used to activate your SSL certificate will depend on where you ultimately decide to purchase it from. Sometimes, your web host will activate your SSL for you.

For example, if you purchase an SSL from GoDaddy, you’ll have to log into your account, head to “SSL Certificates” and click “Set up.”

set up godaddy ssl

Once you refresh the page, you should see your new and ready to use certificate.

When you have activated your certificate, you should validate it.

3) Validate the certificate

Before you officially begin to use an SSL certificate, you need to diagnose any issues with it.

Use an SSL Checker tool like this one from SSL Shopper to validate your certificate.

ssl checker

Next, install the certificate on your hosting server if it hasn’t already been done by your web host.

4) Install the certificate on the hosting server

The process for installing your certificate on your hosting server will depend on where you’ve built your site.

For example, if you’ve used Duda to build your website, you can navigate over to “Site Settings” and click “Site SSL” to set up a certificate.

click site SSL

Then, click “Generate certificate.”

Note that your SSL certificate should never be removed unless you manually take it off of your site.

Once your SSL certificate is up and running, you need to set up 301 redirects and check your links.

5) Set up 301 redirects and check the links

If you have old google links or dated links to your pages on other sites, you need to set up a redirect so that HTTP requests can be changed to HTTPS ones.

You can do this by adding the following code to the top of your .htcaaccess file located in your root folder:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Once you’ve added that code, double check that your site is still working well and that requests are being redirected to the new version of your URLs.

You can also use HTTP Strict Transport Security (HSTS) to force all connections to become HTTPS links all at once.

http strict transport security

All you have to do is add the code to your site.

For example, if you have an Apache web server, you can add the following code to your .htaaccess file:

# Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security “max-age=300; includeSubDomains; preload”

Here’s how to view SSL certificates in Chrome.

How to View SSL Certificates in Chrome

To view SSL certificates for any site (including your own) in Chrome, open Developer tools.

developer tools in chrome

From there, head to the Security tab and click “View certificate.”

view certificate security overview

Then, the full certificate should appear for your viewing.

google ssl certificate

Finally, you need to test your HTTPS to make sure that all web elements are as secure as possible.

Testing your HTTPS

The easiest and fastest way to verify that your HTTPS is working is to head to your website and verify that you see HTTPS: before your site name.

http vs https in browser

If you want a more in-depth test, use an advanced SSL-Check tool like this one from JitBit.

ssl check with root URL

This tool will crawl an entire HTTPS website (and even it’s internal links) to uncover unsecure images, scripts or CSS files that trigger unsecure warnings in browsers.

You can crawl 200 pages of your site for free using the tool if you tweet about it, which is a pretty small price to pay for zero cost HTTPS testing.

Conclusion

If your site is marked as unsecure, you’re losing valuable site visitors every minute.

An SSL certificate can help, since it verifies and encrypts your website, making your pages safe for both you and your customers.

If you think you can avoid getting an SSL certificate, you’re wrong. The HTTPS protocol that SSLs provide is vital if you want to build a trusted and reputable site.

HTTPS tags show up with a padlock and a “secure” tag in visitors’ browsers, notifying them that your site is legit.

And HTTPS can help your SEO and conversions, since HTTPs pages are proven to have higher rankings and more referral data.

There are three different types of SSL certificates to choose from.

These include Domain Validated (DV SSL) Certificates, Organization Validated (OV SSL) Certificates, and Extended Validation (EV SSL) Certificates.

DV SSLs offer the least amount of security, while OV SSLs are more secure. EV SSLs are the most secure form of SSL certificate.

Choose an SSL certificate that works best for you, your company, and your budget.

If you want a reasonably priced SSL with high encryption, try GoDaddy. With Cloudflare, you can get a free DV SSL extension, but it may not be as secure as other certificates out there.

Comodo offers a wider variety of certificates than GoDaddy with similar encryption. However, they’re a bit more expensive.

To install an SSL certificate, you’ll have to purchase one from a trusted source, first.

Then, activate it and validate it. Install the certificate on your hosting server and set up 301 redirects to your new HTTPS URLs. Don’t forget to check the links.

If you want to view SSL certificates in Chrome, you can open them up for any site you visit using Developer Tools.

Finally, to test your HTTPS, use an advanced SSL Checker like the one created by JitBit. Double check that your URLs have a secure padlock, too, just in case.

Which type of SSL certificate are you going to add to your website?

About the Author: Neil Patel is the cofounder of Neil Patel Digital.



from The Kissmetrics Marketing Blog https://ift.tt/2IqBRxK
via IFTTT