What Is SSL? A First Look at Online Security
Have you ever wondered why we shake hands when meeting new people? One of the prevailing theories is that it originated as a way to ensure the mutual safety of two strangers; by shaking each other’s hands, both parties would be able to tell if the other “had something up their sleeve,” such as a weapon. Each person could verify that the other was what they claimed to be.
This practice has become ingrained in our behavior as a cultural norm. In fact, we’ve even adopted the practice to validate the security between two machines (like a personal computer and a web server). Ensuring our security on the internet is literally an “SSL Handshake.”
When you’re surfing the web, it’s likely that most of the websites you visit do not need to bother with encryption. After all, it doesn’t really impact you very much if a hacker is able to figure out that you saw a BuzzFeed video about adorable kittens. But when it comes to websites that collect personal information, you definitely want those surfing sessions to be safe and secure. An SSL Certificate is what your web browser uses to ensure a site is authentic and reliable.
Table of Contents
The term SSL stands for Secure Sockets Layer; it is the technology that encrypts your connection to a website. Once installed, it works in the background and is almost instantaneous, ensuring that any site to which you provide sensitive information will automatically be safeguarded.
If you are creating an eCommerce website, obtaining an SSL Certificate is not merely a good idea – it is essential to becoming compliant with the PCI (Payments Card Industry).
Savvy web surfers keep an eye out for SSL indicators on any website that prompts them for log-in information, credit card numbers, or any other personally identifying information. Indicators of an SSL connection are generally the same across all web browsers, though there may be some minor differences. The signs of an SSL connection include a lock symbol appearing before a web address, and a green highlight in the address bar indicating an encrypted connection.
How It Works
Entire volumes have been written about the finer points of SSL. But for today’s purposes, we’ll stick to the basics.
I mentioned earlier that SSL is like a handshake between your browser and the server hosting a website. In reality, it’s more like a secret handshake, only more cool. If someone pretends to be your friend without knowing your secret handshake, the imposter will be immediately discovered.
Or, to put it a bit more technically, SSL operates by encrypting data which can then only be deciphered by three “keys.” The website has one key and your browser has another. Once a connection is established between the two, a third, temporary “session key” is created; this key streamlines the exchange until you log out. All of these keys work in tandem to create a uniquely encrypted connection. If it’s good enough for banks (which it is) then it’s good enough for me.
To facilitate this “negotiation” in secured connections, websites protected by SSL have SSL Certificates. Think of them as IDs issued not by the state, but by the Better Business Bureau or Consumer Reports. Your browser has a list of all the most reliable SSL Certificate issuers out there, so when it encounters a website that does not have a trustworthy SSL, you will be warned that the website you’re about to interact with may not be what it seems. In order to be included on this “safe list,” an SSL provider will be audited and must comply with certain authentication standards.
SSL certificates also provide “rules” for encrypted sessions. Very basic SSL certificates will only keep a single page, such as a log in screen or a checkout screen, secure for online shopping. Other certificates can cover several areas of a website, and as such, provide more versatile security. Certificates can also be issued based on how thoroughly they validate the website’s legitimacy.
The main functions of an SSL certificate are as follows:
- Provide the user with a decryption key
- Describe how thoroughly a website has been vetted
- Determine which websites (domains and sub-domains) the certificate will be valid for
Types of SSL
For eCommerce websites, there are three major levels of SSL validation:
- Domain Validated. DV Certificates are the cheapest and quickest to issue. They usually only validate your online presence (your domain and IP address, for example).
- Organization Validated. OV Certificates validate a few of the basic details of the organization which owns the website, including its name and physical address.
- Extended Validation. EV Certificates dig a little deeper, and verify your online presence, basic business details, and also your legal business identity. These take more time to be issued, since they are much more thorough. Website owners who opt for this kind of certification are rewarded with the “green address bar,” which gives customers much more buying confidence. Some issuers will also provide a “Secured by (Issuer)” stamp which can be displayed on a web page.
These levels of validation can apply to three kinds of certificates:
- Single-name Certificates. These are typically for businesses that only need to ensure a secure connection on a single page, such as a shopping cart’s Checkout Page.
- Wildcard Certificates. These types of certificates have the most utility, in that they can be used across several subdomains. For example, one online store might only encrypt the checkout page, where credit card and billing information are input. But another store might need to encrypt several (or every) part of the visitor’s browsing experience, from logging in (login.mystore.com), to maintaining account information (account.mystore.com), to final checkout (sales.mystore.com). These are all subdomains of the same website (mystore.com), and one Wildcard SSL can cover all of them.
- Multi-domain Certificates. When a single business identity maintains several disparate websites, one certificate can be issued to cover each unique domain (web address). Think of “sub-domains” as rungs on a single ladder, and “multi-domain” as several separate ladders. Each domain (ladder) can have many sub-domains (rungs).
As such, a “DV Single-name Certificate” might be the cheapest and the easiest to set up, whereas an “EV Multi-domain Certificate” will certainly be the most expensive and intensive.
It’s important to remember that all certificates offer the same basic types of encryption (128-bit or 256-bit.) The differences between them are 1) how thoroughly they verify the certificate holder’s identity, and 2) the structure of the website or websites that they cover.
Who Needs SSL?
As you might suspect, there is a spectrum here. We live in a world where everyone is trying to sell us something, and the prevailing message is generally that we “need” whatever is being sold. Most of us are used to filtering this word out. We don’t “need” a new car, most of the time.
I’ll give you the straight truth first, and follow up with my opinions. The truth is that there’s only one criteria to determine whether you need to make use of an SSL: does your site collects credit card information? The PCI (Purchase Card Industry) takes financial security pretty seriously, unsurprisingly.
In my opinion, though, any website that takes in personal data from its users should have an SSL. This is in everyone’s best interest – even the best interest of the one paying for the SSL out of pocket. Here’s why.
As mentioned above, many people actively look for the telltale signs of a secured website, namely the lock symbol and the green URL bar. If a customer feels that the seller is at all unsafe, they’ll bolt. That means no sale. No one wants a shady website stealing their identity. A little upfront investment in an SSL will engender customer trust, and you will have lifted a major roadblock from the path between you and your customer.
And even if you are not acquiring purchase card information, an SSL is still strongly recommended for websites that collect any kind of personal information (name and address, age, gender, phone number, or any other non-public and identifying information). This comes down to simply being a responsible member of society. I’m not incentivized in any way to promote SSL sales of any kind – I just think that a little effort to comply with Internet Best Practices goes a long way.
If your website does not take in information but only offers it (your best muffin recipes, videos of your pet turtle, or quizzes to test someone’s knowledge of Harry Potter trivia), you’re completely in the clear and do not need to use an SSL.
The right SSL for your site will be priced commensurately with what you need it to do.
Don’t make the mistake of thinking “bigger is better.” If you buy the priciest SSL package, you’re likely to be paying for things you don’t need and won’t use. Unused features don’t make your site more secure.
The corollary is that you should not merely go with the cheapest certificate and consider yourself “safe enough.” The benefits of getting a better-than-minimal SSL will often be well worth the additional cost.
That said, the “Types of SSL” listed above will graph fairly evenly on the pricing scale. On the low end, I’ve seen ultra-minimal SSL Certificates for $10/year. These may assuage the fears of an anxious blogger, but won’t accomplish much else. But if your respectably diverse enterprise maintains multiple websites, it is not out of the question to purchase an EV Multi-domain Certificate for between $900/year and $1500/year.
For most eCommerce SMBs, a reasonable price is in the vicinity of $80-$100/year.
Though this range of prices is accurate (as of the date this article is published), I’d be remiss in my duties if I simply left it at that.
You should also consider the fact that many web hosts have some sort of SSL built in, relieving you of the responsibility to find and purchase one of your own. There’s no guarantee this is the case, so you’ll need to double check your web host.
Also, if you are starting an eCommerce business, you are probably using an SaaS like Shopify or Bigcommerce to streamline your store. Many Shopping Cart vendors have a range of SSL options to choose from. Prices for these certificates might be average or lower than normal, or they might be factored into your monthly SaaS fee and touted as “free SSL.”
How To Secure Your Site With SSL
The exact instructions for adding SSL to your website will vary, depending on how your site is hosted.
With eCommerce platforms like Shopify, your site is hosted on their servers. This means you will have very little to do with installing and verifying your SSL certificate.
If you are hosting your eCommerce site yourself (or on 3rd party frameworks like Rackspace) you will need to do more of the “paperwork” to get SSL Certificates configured correctly.
In general, these are the generic steps that are taken:
- Obtain your site’s dedicated IP address.
- Buy the SSL Certificate that best meets your needs.
- Activate your Certificate Signing Request from your web host’s control panel.
- Install the certificate (usually a simple copy/paste).
- Ensure that your sensitive pages (log in screen, check out page, etc) use an address preceded by “https.”
The instructions above might not mean very much to the average user. Thankfully, your web host is likely to do some, if not all, of these steps for you. If not, check out these instructions for a bit more detail.
What’s Next in Online Security
The Online Security Industry has hit a bit of a plateau. It is currently treading water in an obsolete (thought currently sufficient) technology. There are newer and better security measures out there. It is mere popularity, not superiority, which keeps SSL firmly in place as the standard for online security.
Why aren’t we using the best technology available? For the same reason that we don’t have biodiesel gas stations on every corner; it’s near impossible to phase out a well-established system which is almost universally and exclusively relied upon upon.
SSL is based on cryptographic algorithms that just hit their 20th birthday. In technological terms, it’s a dinosaur. It is susceptible to a few known cyber attacks, which, though mercifully rare, can result in your personal information being skimmed by a hacker. Newer cryptographic systems are more efficient and more secure, such as TLS (Transport Layer Security).
If your web host offers TLS options, jump on them. There is no completely impenetrable security measure, but TLS is the next-gen protocol for doing business online.
This guide is merely an introduction to the topic. If you plan on setting up many websites for clients, obtaining a much more thorough knowledge of SSL Certificates will be crucial to your success.
The good news is that, in most cases, once you set up an SSL Certificate for a website, you probably won’t have to revisit it much, if at all. If you decide to remove your website (or alter the addresses of your data-sensitive pages) for any reason, be sure to contact your web host and SSL provider, since they will have almost certainly set up automatic renewal and billing.
Good luck, and happy selling!