If you use the internet on a daily basis, you will come across sites secured with an SSL certificate on a daily basis. The last website you visited, did it have an https:// URL in the address bar, as opposed to https:// ? Then that site is secured with an SSL certificate!
Does your browser have a nice little green lock next to the URL? Then that site is encrypted with an SSL certificate.
What is an SSL certificate?
So, by now you’re probably asking “What is an SSL certificate? And why do I need one?”
“SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser.”
Source: https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate/
In plain english, this means that when you enter data into a website with an SSL certificate, the information is encrypted by your browser, sent encrypted to the server hosting the website, and decrypted by the website. The cryptographic key (or cipher key, also known as a private key) is only know by the server the website is hosted on. This means that even if a third party was to obtain the information you sent to the website (first name, last name, credit card number and CCV!), with the most powerful hardware available today, it is theoretically impossible to decrypt without the cipher:
50 supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.
I’ll take that those odds!
How does an SSL certificate work?
So lets take a look at how it really works in a real world scenario:
A customer sits down at their computer, they want to use your awesome service/buy your awesome products. They bring up Internet Explorer, head to your website and start to enter their personal (and sensitive) data.
But oh no! A wild hacker appears! They’ve used their skills to intercept your customers request and perform what is know as a man in the middle attack. Blissful unaware, the customer enters all their personal details, financial information and hits send. Instead of that data being sent to your website to be processed and used, it’s been intercepted, in plain text, by the third party who is now free to do with it as they please! In the mean time you have one angry customer, you’ve broken PCI-DSS compliance if you are processing payments in anyway, and have potentially contravened the Data Protection Act. Best call the lawyers….
Now lets look at the same scenario, but with your website protected with an SSL certificate:
The same thing happens, but this time the hacker receives the information in an encrypted format, it’s basically useless to them. You’re in the clear and your customer should probably install a firewall…
Let’s say I entered this information onto your website:
John Minns
4 Laceby Business Park
Grimsby Road
Laceby
DN37 7DP4242 4242 4242 4242
456
12/2018
With SSL encryption (256bit key), that data would look like:
EnCt2fd2797db0331740543de91f90acf5994fd494204fd2797db0331740543de91f9gGWzqO2YjgE
txpx+FFXg5u6cGgXUraPzIGFUaKbkk7Pz5pfu/lSPkO7ZI/aIkzeOX+cxVkiR9L0C/JCoDpCG4t5UYDq
RCtuhkZkcp6rFFWViG5ASJYVr++Kz+BbzV1Wzz1+NKwEJB0Qb3kBOTh4=IwEmS
Not much use without the cipher.
Do I need an SSL certificate?
Short answer:
Do you sell products and perform financial transactions on your site? Then yes!
Do you sell products and send the customer to a third party like PayPal to process transactions? Then yes!
Do you sell products on your site? Then yes!
Do you have a member/login area of your site, where passwords are stored? You really should!
Do you receive/send/store information provided by the user deemed sensitive by the Data Protection Act 1998? Then yes!
Do you receive/send/store information provided by the user? Then you probably should!
Do you want to achieve better search rankings in Google? Then yes!
Do you care about the online presence and image of your business? If not, why are you still reading?!
Long Answer:
There are certain types of websites that require an SSL certificate no matter what. eCommerce websites that process payments on site will require an SSL certificate, not just to use the third party payment provider, but also to be PCI-DSS compliant. Any website that receives, sends or stores data deemed sensitive by the Data Protection Act of 1998 will need to use SSL encryption to be operating within the law.
Even if your website doesn’t fall into those categories, an SSL certificate is a small investment that helps improve the integrity of your online presence. It helps to improve UX (user experience) and gives your user piece of mind, that when they enter their information, it’s not going to fall into the wrong hands.
Because of the extra benefits that having an SSL certificate gives your users, in August of 2014, Google revealed that it will now start to use HTTPS (a site with an SSL certificate) as a ranking signal. This means that if your site has an SSL certificate attached to it, that’s one more of the many checkboxes you can tick off in your quest to rank higher in Google than your competitors!
Want to know more, or how to go about getting an SSL certificate installed on your website? Contact the Laser Red/Red Cloud Hosting team today!