Secure Socket Layer (SSL) or Transport Layer Security (TLS) refer to security technologies that encrypt data sent between a web server and web browser.
Even though TLS is more likely, the industry still refers to the process as SSL, especially when dealing with the certificates necessary to secure a website.
In the last few years, SSL certification has become more of a necessity than an option, as browsers alert users that the website they plan on visiting is insecure. From a user perspective, those who shopped online were generally savvy enough to look for ‘https’ (where the last “s” means “secure”) and ensure that a padlock symbol is present (which also implies a secure encrypted connection). It is the SSL certificate that enables these visual indicators and all certificates must be installed at the server end of a connection (over port 443).
Okay, we all realize that encryption is generally a good thing and especially important for sites that receive credit card payments. In fact, SSL is a requirement for PCI-DSS compliance. But what if you don’t sell anything on your website?
Piggy In The Middle?
As most website owners do not want third parties intercepting any information, it’s certainly best to encrypt all connections since even data submitted on contact forms could conceivably be intercepted using man in the middle attacks. Emails handled by the site could also be intercepted in the same manner. Mailing lists and other subscriber updates… the list goes on.
Therefore, we can drink the Kool-Aid and state that SSL certificates are a positive addition to any websites. However, like anything else, there are pros and cons and you must decide how much Kool-Aid you will absorb, a sip or the whole glass.
As I’ve stated before, I don’t like to be pushed into anything, especially when the change is not driven by lack of hardware or software performance. Years earlier, when faced with continuous browser alerts about my ‘insecure’ sites, with search engine rankings also impacted, I saw the light. My hosting provider installed purchased SSL certs rather than my existing self-signed and open source alternatives. At the time, no free option was available…
As I see it, the SSL advantages include:
- Encryption – it’s best to ensure all traffic is encrypted. Even if you only gather email addresses for contact forms or subscriptions lists, it is best to have SSL.
- Hackers cannot impersonate your website as easily in phishing attacks, as identity verification is part of the SSL process. An outsider cannot obtain an SSL cert for your website.
- Increased trust – users are unlikely to visit your site without SSL, based on alerts from browsers and from add-ons such as HTTPS Everywhere. This is true even if you do not gather financial info for e-commerce. Users can even click on the padlock icon to check the SSL certificate used.
- You cannot be PCI-compliant without SSL.
As the owner of a couple of low-traffic sites (I use them as a digital portfolio), hosting is my biggest expense but SSL certs were an added cost, equating to a large percentage of yearly costs. This is of course the biggest disadvantage, at least until Let’s Encrypt came on the scene with a free solution. With major sponsors and donors including Mozilla, Cisco and the Electronic Frontier Foundation (EFF), it’s not a shady solution but a free Certificate Authority (CA).
For high-traffic sites, performance may be an issue as encryption will obviously require more resources.
What SSL Certificate Do You Need?
Choosing an SSL certificate should be an easy task, right? Do you have a ‘you get what you pay for’ attitude that would prevent you from using a free domain-validated certificate (no user information is displayed)? I have no such problem and my hosting provider offers Let’s Encrypt certificates as a free option. However, if you administer your own web server, some technical knowledge is necessary to install certs.
In the last ten years or so, SSL certification has become a nice revenue generator for a variety of companies. Let’s call them certificate authorities (CA). Their role is to verify issued certificates and most browsers incorporate root certificates of the major providers. Each CA has a wide network of resellers that offer SSL certs as premium options. Costs can vary widely, typically depending on three levels:
- Domain Validation – certificate is provided after proving control of the domain (by uploading a file, for example).
- Organization Validation – Organization verification (checking ownership of domain) means that organization info is included and displayed in the certificate.
- Extended Validation (EV) – Company documents to prove company identity. The most strict level that results in a green bar with the company name in the browser.
The number of domains and sub-domains also comes into play, with Wild-card certs necessary for sub-domains.
As indicated in W3Techs’ survey Usage of SSL certificate authorities for websites, IdenTrust (that cross signs Let’s Encrypt’s domain-level certs) is the market leader.
The question remains, do you need more than domain validation? Does it increase trust? Are users too dumb to check the domain owner if they have trust issues? Similarly, organizations can be checked online. In my opinion, if companies are relying on enhanced browser indicators to establish trust, there is a greater issue that needs resolving by marketing.
In conclusion, SSL certificates are necessary but free options are available that are universally accepted. If you really need more, ask yourself the reason why. Enhanced encryption is one acceptable answer or multiple sub-domains but the addition of a pretty green bar (EV certs) hardly justifies the hundreds of dollars needed to obtain it. Could this money be better spent elsewhere? You decide and compare costs between certificate authorities and their resellers.