What is an SSL Certificate - How does it work?
Use SSL to secure your site
What is it?
The securitisation of data transfer across the web
Any data you enter into a website -> moves from that site -> across the web -> to a receiving site.
The data you enter is “open” meaning that if someone were to intercept the data they could read it. (shared WI FI connection, airport lounge etc etc)
HOWEVER using SSL encrypts that data as it leaves the page -> it travels encrypted -> then decrypts itself on arrival.
An SSL Certificate is proof that your site is protected from data capture during the transfer of confidential information.
SSL Security, up to now, has generally been focused on sites that transfer credit card data, for obvious reasons.
Question: Is the site I am on encrypted
When you look at a website URL you will see in the address either http or https:
The Technical stuff
Websites use HTTP/s as a protocol to display the pages we see on line
HTTP: HyperText Transfer Protocol – is the system for transmitting and receiving information across the internet.
HTTPS: Secure HyperText Transfer Protocol – developed for all authorization and secured transactions. It’s the same as HTTP but offers an extra layer of security.
Should I care?
Apart from the obvious – “I do not want my data being stolen” Google has been pushing security for a while.
There is generally acknowledged a ranking advantage for a site with SSL. This has now been exacerbated by Google formally warning visitors about sites that it considers “insecure”. (those without ssl)
The formal benefits of SSL?
- Visible security signals for your visitors
Security is one of the bigger concerns visitors have and so proving you are secure (in your web address) has a visitor benefit. Whilst Security has been a key factor for ecommerce transactions (due to credit card data transfer) many sites have not secured their login or registration pages etc, and if you are a lead generation website requesting private or personal information over an unsecured connection can affect your registration rates. Anecdotal feedback does show that with SSL you are likely to have lower bounce rates and higher closure rates.
- Ranking – HTTPS is a Google ranking signal – Google has stated publicly that a strong HTTPS encryption for a website is a factor within their search algorithm, the level of benefit is not known, however this can be the edge you need.
- Analytics data – referrer accuracy – whenever traffic is referred to your site with HTTPS you are able to identify the exact site and it does not get “lost” under the channel of direct traffic. In our opinion this on its own can justify the implementation.
- HTTPS alerts by Google Search Console – Google has now begun sending notices to webmasters via Search Console if a login page or any page collecting a password is not secured over HTTPS.
- WARNINGS – Browsers are starting to alert visitors about non-secure sites – From January 2017 Google has been providing security warnings in Chrome if no valid SSL certificate is found on pages with sensitive information.
- Additional Security – HTTPS provides a number of further advantages:
- HTTPS verifies that the website is the one the server is supposed to be talking to.
- HTTPS prevents tampering by 3rd parties and so stops some of the attacks, making your site more secure for visitors.
- HTTPS encrypts all communication, including URLs, which protects things like browsing history and credit card numbers.
Do I REALLY need one?
The $64,000 question,………, it depends…
- Does your site take money?
If you are taking credit card payments in your screen then YES, in order to protect the transfer of customer credit card data, in fact most payment gateways refuse to deal with sites without SSL. A large number payment gateways provide the ability for your customers to “leave the site” in order to enter their data on their OWN connection – this is encrypted but on their pages – (e.g. PayPal) in these instances no you do not need SSL.
- Do you offer memberships?
Whether membership is free or paid then SSL might be a good idea. Members must be giving you their email addresses, names and passwords, without SSL this data could be hacked and spread.
- Do you request registration?
Again there is potentially sensitive data being transmitted – therefore SSL is recommended, in addition with the increasing concern on security and Googles warnings your conversion ratio is bound to be affected.
- Do you ask visitors to provide sensitive information?
Typically, sensitive information could be photos, documents etc. You might consider SSL to keep that information safe.
- Is your site just a blog?
If you have a blog which is just blog posts and a contact form then there is probably no need to invest in SSL as the benefit from Google will be minor, however sooner or later you will have to implement.
If I need SSL, does it need to be across the whole site?
In a lot of instances – No but the cost of site wide vs specific is similar so there is no advantage to being specific and there are several disadvantages:
- Inconsistency – can complicate the implementation
- Trust/Confusion – a consumer may not understand that his page is “ok”.
Implementation of your SSL Certificate
There are a number of steps you have to go through:
- Buy a certificate either from your host or a certifying authority (CA) (this cost is annual) (there are various types – you will need to discuss this with your selected CA)
- The certifying authority aim to verify the website as a trusted resource.
- On the satisfactory conclusion of the validation the keys are administered
- Implementing the certificate on your hosting account and throughout your website can be significantly more complicated, we recommend this is done by a professional – the cost of a bad installation can be significant.
- Servers and hosting companies operate in many different ways when installing SSL certificates – consequently it is not within the scope of this article to explain in detail how to implement a SSL certificate.
HTTPS Implementation issues
- Test & Test again – Mistakes happen – moving your site to HTTPS requires many moving parts and it’s easy for things to go wrong. Have you mistakenly blocked important URLs in robots.txt? Have you pointed your canonical tags at the old HTTP URL? Is your website causing browser bars to display unnecessary warnings? So test and test again
- Speed – because HTTPS requires extra communication “handshakes” between servers, it has the potential to slow down your website, especially if your site is already quite slow. If you follow best practices your site should be more than fast enough to handle HTTPS, but be warned it will slow your site up if it isn’t set up correctly.
- Social shares – most social share plugins use non-https URLs for the various social network pop up boxes. This can result in social icons not displaying, a padlock symbol appearing in the browser bar, and a variety of mixed content errors.
- Internal links – replace internal links so there is less of a requirement for 301 redirects.
- Random plugin problems – prepare yourself! Many plugins are not SSL compliant resulting in many errors. Every plug in needs to be checked.
- Webmaster tools – you need to remove and re-add your site in Google’s Webmaster tools or do a change of address and then submit a new sitemap to force re-indexing of your site using https.
The Techie Checklist to Preserve Search Engine Rankings
- Use 301 redirects to point all HTTP URLs to HTTPS.
- Make sure all canonical tags point to the HTTPS version of the URL.
- Use relative URLS whenever possible.
- Rewrite hard-coded internal links (as many as is possible) to point to HTTPS. This is technically superior to just relying on 301 redirects, simply because there are less things to go wrong.
- Register the HTTPS version in both Google and Bing Webmaster Tools.
- Use the Fetch and Render function in Webmaster Tools to ensure Google can properly crawl and render your site.
- Update your sitemaps to reflect the new URLs. Submit the new sitemaps to Webmaster Tools. Leave your old (HTTP) sitemaps in place for 30 days so search engines can crawl and “process” your 301 redirects.
- Update your robots.txt file. Add your new sitemaps to the file. Make sure your robots.txt doesn’t block any important pages.
- Implement HTTP Strict Transport Security (HSTS). This response header tells user agents to only access HTTPS pages even when directed to an HTTP page. This eliminates redirects, speeds up response time and provides extra security.
- If you have a disavow file, be sure to transfer over any disavowed URLs into a duplicate file in your new Webmaster Tools profile.
- Migrating social share counts. Your social share counts don’t impact your rankings, but they act as strong social proof and it’s annoying to experience them being reset to zero. There are ways to maintain your counts by altering the code in your social buttons.