Do I need SSL on my website?

These days, internet connections are ubiquitous, from data streaming to and from the devices in our pockets to free Wi-Fi on buses.

You don’t need to understand the internet on a granular level to take advantage of it, but if you have a website for your business, knowing more about keeping it protected and compliant is all but essential.

Want to know your HTTP from HTTPS? Read on to learn about internet security, SSL certificates, and why your website needs to stay safe with secure connections.

What is SSL and why is it used?

SSL is short for Secure Sockets Layer. It’s a security protocol (i.e. set of rules) that ensures the data travelling between the internet and its users is secure.

The ‘socket’ refers to network sockets, which in the simplest terms means the data endpoints in a network.

When you navigate to a website, you (the client) and the website’s server are essentially the sockets. Thus, SSL ensures that the data you send is safe, as is the data you receive back.

SSL was first introduced by the now-defunct Netscape in 1995, and it formed the core of secure data communications online.

SSL itself has actually now been replaced by the TLS (Transport Layer Security) protocol, but the term has persisted due to the foundational nature of SSL and the term is used somewhat as a shorthand for internet data security.

Regardless, bear in mind that TLS is the modern standard, so while people in the know might talk about SSL, the protocol itself isn’t actually in use anymore.

The most common context you’ll likely hear SSL being used in is regarding SSL certificates.

An SSL certificate provides the system that facilitates secure data communication between users and your website, and proves the parties involved are who they say they are.

Clients and websites first communicate through SSL with something known as a handshake, which is a multi-step process for verifying security and identity, employing methods like encryption to secure data and verify the existence of the necessary ‘keys’ to safely send that data.

An SSL handshake is a kind of superfast deal made between the client and server to establish both parties are verified and using agreed algorithms to secure data.

In a sense, it can be thought of as a literal secret handshake; if either side doesn’t know how to answer one part with the corresponding action, for example by not having the private encryption key to unscramble the data, then the conversation ceases.

Websites that use SSL encryption have URLs prefixed with HTTPS, the ‘S’ standing for secure.

Browsers often indicate this security, such as Google Chrome showing verified encryption with a padlock icon embedded in the address bar.

Why should I get an SSL certificate?

Possessing a certificate shows users of your website that you’ve done the necessary legwork to protect their data and make your site secure.

Perhaps more significantly, not having a valid SSL certificate will often directly stop people from being able to access your website.

Mainstream web browsers will block users from accessing a site with inadequate security, and though users can still waive these warnings in order to access the site, many will heed the red danger signs on their screen and go no further.

When customers are trying to decide between your business and competitors, you can’t afford setbacks like that.

With cybercrime a growing concern for society to the degree that it may soon cost tens of trillions per year globally, customers will often do whatever they can to avoid having their data stolen or leaked.

And, of course, if customers were to suffer a data breach through inadequate site security, the site owner is liable for the ensuing fines, customer complaints, and damage to public image. Given the implications of data theft that can go on to impact many aspects of the victims’ lives, instances of these breaches are some of the most devastating that the culpable businesses can suffer.

To obtain a certificate, the website owner must reach out to a Certificate Authority with a Certificate Signing Request (CSR).

Is SSL legally required?

An SSL certificate is often necessary to comply with General Data Protection Regulation, or GDPR for short. Under the provisions of GDPR, if you collect and/or process customer data, you are obligated to protect it.

While SSL certificates don’t guarantee data security by themselves, they go a long way towards increasing the overall security of your website and the data it collects. By deliberately eschewing a certificate, you leave the data moving back and forth between client and server exposed and vulnerable to attack.

It should be noted that GDPR doesn’t specify that an SSL certificate is needed to be compliant unless you collect or process customer data, and this data could be something as simple as an email address. As a result, SSL certificates are all but a necessity for a vast number of businesses with an online presence.

What are the three types of SSL certificates?

There are three levels of SSL certification that encompass various ‘depths’ of security.

An SSL certificate of any level grants essential security to a website, but those of a greater validation level give that little bit more, and may be more attractive for larger companies or those who take a lot of data as part of their business operation.

These levels are:

Domain Validation (DV) SSL certificates

Of the three levels, this is the most basic and obtainable. The only hard requirement for a DV certificate is proof of ownership pertaining to the web domain.

This type of certificate doesn’t necessarily stand as proof of a legitimate business, so DV SSL certificates are often insufficient for companies but serves individuals well.

Even a DV certificate provides compliant encryption that meets industry standards, so this doesn’t necessary place independent websites at a disadvantage compared to those of businesses.

DV SSL certificates also provide the ‘https’ string in a domain’s URL, giving an at-a-glance sign of competent security.

Organisation Validation (OV) SSL certificates

This is an intermediate level of verification.

Like domain validation, OV certificates require proof of ownership for the domain, as well as proof of the legitimacy of the business itself in that it’s legally registered. As its name and requirements suggest, this type of certificate isn’t available to individuals (except those representing businesses, such as sole traders).

As well as providing encryption, OV certificates hold an extra level of trust and authority since they can only be granted to valid businesses, which will be vetted by the chosen Certificate Authority to ensure that everything is above board.

Accordingly, OV certificates take up to a few days, whereas DV certificates can be provided within a few hours.

Extended Validation (EV) SSL certificates

EV certificates are the best SSL certificates available in terms of prestige and trustworthiness. As with the preceding two types, the increased security and positive image associated with EV certification requires a more stringent verification process than anything demanded by DV or OV certificates.

When applied for, the Certificate Authority will conduct a thorough human-led investigation into the business.

This includes:

Verifying that the business has full, exclusive rights to use of its domain name and that it isn’t taking something to which another business arguably has greater claim
Confirming the location and operations of the business to see that it’s an official, established enterprise
Verifying the legal status of the business to make sure there are no hidden issues with solvency or official registration

Having an EV certificate issued takes several days and, unsurprisingly, costs the most to requisition.

However, it’s the very best level of verification that a business can seek in terms of its SSL status, and the most up-to-date security enhanced browsers show a green bar to give site visitors a strong indication of the site’s—and therefore the business’s—data security.

The presence of this bar is a minor thing but it could easily be the deciding factor for customers who are torn between two online retail businesses, particularly if the customer is spending a lot of money or handing over sensitive information, which may well be the case with customised products.

How much is an SSL certificate in the UK?

The price you pay for an SSL certificate will be at its lowest for a DV certificate, given the lax verification and fast process for acquiring one.

OV and EV certificates cost more due to the work incurred by the Certificate Authority and the benefits granted by their more secure status.

The cost of a certificate is usually structured as a yearly fee.

These range from around £5 a year for a DV certificate to around £120 a year for EV certificates. Prices can vary widely depending on the Certificate Authority issuing the SSL certificate and any extra services they offer as part of the vetting and admin processes.

Given the affordability of even an EV certificate in the context of business profits, paying the annual fee for one really is a no-brainer.

How do I install an SSL certificate?

Adding a certificate to your website is straightforward for anybody competent with IT and web design, but the specifics can vary depending on where you host your domain.

Installing your certificate can be as simple as logging into a control panel and filling in details, or it may involve creating files using a text editor.

This can also include ensuring your private key is accessible, so the task is best left up to somebody who really understands the process.

If you use a web host or dedicated third-party for IT services, get in touch to see if they can sort it out properly.

Which is the best SSL certificate?

If you want your business website to have the greatest level of trustworthiness and verification, then it’s hard to argue against an EV certificate.

It shows site visitors that you take the security of their data seriously, and goes a long way towards proving due diligence regarding GDPR.

However, bear in mind that a DV certificate still provides just as much material protection as an EV certificate.

Therefore, if you run a startup or SME and need to spare as much overhead as possible, then it’s better to at least secure the lowest level of certificate than getting nothing at all.

Can I make my own SSL certificate?

No.

There is too much verification and security tied into SLL certificates for people to independently create their own, both as an achievable feat and as something that can be trusted.

After all, if your certificate doesn’t stem from a verified authority, then how is it worth anything in terms of trust? It would be like printing your own money and still expecting it to have value.

If you want an SSL certificate for your website, there is no way around it: you need to apply through a valid Certificate Authority.

Does an SSL certificate help my marketing?

Absolutely.

If you’re looking to capture customer data, your customers need to know that data is safe and secure. Even if you only ask for an email addresses in exchange for a whitepaper download, or a name and business address for a quote, you need to take your role as a data processor seriously.

Customers who see that green address bar and padlock symbol are given subtle but effective cues that your business is trustworthy and authoritative.

That trickles down to your content, and the trustworthiness of your position as a market expert and/or thought leader.

To learn more about honest, ethical marketing and how we can give you more expert insights like these, contact Aqueous Digital today.