Have you ever paid for a domain name and the registrar offered you a free SSL certificate with your purchase?
If the answer is “yes,” the freebie may have left you wondering what an SSL certificate is and why you need one. As you’ll soon learn, installing an SSL certificate for your website is incredibly important, especially if your site collects data from users.
This article will answer all your questions about SSL certificates, including the available types, why you need one, and how to install one on your website.
Let’s jump in.
The “SSL” in “SSL certificate” stands for “secure sockets layer.” It’s an encryption protocol that signifies that the connection between a browser and server has a higher level of security. Translation please? Here’s the plain English version:
Most internet users’ activity falls into two categories when they surf the web: asking for (and receiving) information, or sending it. When they do either of these, a back-and-forth occurs between their browser (Google Chrome, Firefox, etc.) and the server that hosts the websites they visit.
SSL certificates make this exchange safer. These small data files establish a security protocol between your browser and the servers they send data to and receive data from.
When you visit a website and want to know if it has an SSL certificate, look to your browser’s address bar. If you see a padlock icon before the site’s URL, then it has an SSL certificate.
Also, the site’s URL will begin with “https” instead of “http,” with the “s” standing for secure (it’s the secure version of hypertext transfer protocol). These two indicators point to a website that keeps user data secure (as below).
SSL certificates contain the following information:
What are public keys? To answer that question, we’ll need to understand how SSL works.
In a nutshell, encryption algorithms form the backbone of SSL and SSL certificates. These algorithms ensure data transferred between a browser and server is unreadable by scrambling it during transfer.
Everything from names, addresses, passwords, credit card details, and other sensitive data becomes a jumbled mess of characters when sent over a secure connection. The process prevents hackers from stealing such information.
A typical data exchange on a secure connection goes as follows:
It may sound like a lot (and it is), but the entire exchange described above happens within milliseconds.
However, the most crucial component of the exchange is the use of SSL keys. SSL certificates have private and public keys that browsers and web servers use to encrypt and decrypt data. The transferred data is encrypted and verified using the sender’s public key.
There are several reasons why your website needs an SSL certificate. The most crucial reasons include:
Online businesses and websites that ask their users for their personal information need SSL certificates.
The web has evolved such that businesses now store sensitive information like medical records and social security details online. That data represents a treasure trove for cybercriminals and identity theft perpetrators hunting for websites with lax security standards. And, as the infographic below shows, it will only get worse.
SSL certificates ensure everything from login credentials to online transactions remain private and safe from spoofing, phishing, and other kinds of attacks.
Also, SSL certificates inspire confidence in the average internet user. When they see the padlock, it tells them they’re browsing a secure site that values sensitive customer data. In point three below, we reveal what a user sees in place of the padlock when browsing an unsecured site.
In 2014, Google stated on its blog that it would use HTTPS as a ranking signal. In other words, the search engine would begin to rank websites with SSL certificates higher on its results pages than those without.
SSL is a Google ranking factor.
Google’s reason for this algorithm update was understandable and noble: “To keep everyone safe on the web.” The search engine didn’t want to send users to unsecured and potentially harmful websites. After all, doing otherwise would impact its business long term, as users would seek out competitors whose search algorithms returned safer sites.
The rest, as they say, is history: As of October 2022, https is a standard security technology adopted by 81.5% of the websites on the web.
✴️ Is your website optimized for SEO and security?
Find out instantly with our Free Website Grader!
Finally, if your website doesn’t have an SSL certificate, it’ll give visitors a bad user experience, which, as you may or may not know, is becoming more and more important in SEO every year.
Remember our good friend Google? It made good on its promise “to keep everyone safe on the web” in more ways than one. Other than a lower search ranking, your site risks being outed as carefree about its visitors’ safety if it doesn’t have an SSL certificate.
As the image below shows, Google’s Chrome browser will give your site’s visitors visual cues that tell them it’s not secure.
Consider this: Chrome is the most widely used of the three major browsers (the other two being Safari and Edge). The browser has an enormous 64.5% market share, meaning most of your site’s visitors will likely use it.
Would you want every visitor to see that conspicuous “Not Secure” message in their browser address bar?
But it doesn’t end there. The message will likely spook your visitors and send them fleeing from your site, resulting in a high bounce rate. A high bounce rate will mean a lower ranking, which will mean less traffic. Less traffic means you’ll have fewer visitors, which means fewer leads, and so on and so forth.
An extended validation certificate is the most comprehensive and expensive type of certificate you can get. While any business is free to get this certificate, it’s usually larger businesses that have them.
As the image above shows, this certificate displays the following information about your website in a visitor’s browser bar:
The reason this type of certificate displays so much information is because the data helps to distinguish your website from malicious sites. And if you run websites that collect user data or process plenty of online payments, you’ll probably need these premium certificates.
Also, you’ll need to subject yourself to a standardized verification process to get this certificate. That involves proving you’re the legal holder of the domain you submit.
Organization-validated certificates are a rung down the SSL certificate price ladder from extended validation certificates. Like the latter certificate, you’ll need to subject yourself to a verification exercise to obtain one. And, just like EV SSL certificates, they display information about your business in your visitors’ address bars.
OV SSL certificates encrypt data transmitted during sensitive transactions, minimizing cybersecurity risks. While not as powerful as EV SSL certificates, they’re effective enough that commercial websites use them.
Compared to OV SSL and EV SSL certificates, domain-validated certificates provide a moderate level of protection from domain attacks. The verification process isn’t as stringent, so these certificates offer basic encryption.
They’re inexpensive to obtain, making them perfect for websites that don’t collect data from users (e.g., blogs and information websites).
Domain-validated certificates don’t display as much information in your visitors’ browser bar as EV SSL and OV SSL certificates. They stop short of displaying information about your business, only showing the https before your website’s URL and the padlock icon.
Please note that the above three aren’t the only types of SSL certificates available. Some other certificate types include:
In the section below, we’ll briefly discuss the determining factor for choosing a certificate type for your website and how to install one.
By now, you should be convinced about why your website needs an SSL certificate. So how do you set one up? The process goes something like this:
Your SSL certificate will require configuration on your web host’s server or your personal one (i.e., if you’re self-hosting your website).
Also, please bear in mind that the time it takes to obtain an SSL certificate varies depending on the type of certificate you decide to get. Whereas you can obtain a domain-validated certificate in minutes, an extended-validation certificate can take as much as a week or more to acquire.
If you intend to process online payments or collect sensitive data from your users, you’ll need an SSL certificate for your website. These digital certificates are crucial because they secure your website by encrypting data sent from and to it.
In addition, search engines like Google use the presence or absence of an SSL certificate to determine how well your website ranks. And the absence of an SSL certificate can impact your visitors’ user experience through off-putting visual cues.
Luckily, there are many types of SSL certificates you can use. When choosing, use your website’s security needs as the determining factor.
Paul is a cyber security expert specializing in PKI solutions and website security. He is often in front of his computer, trying to break into a website or API for clients and writing about it to improve the safety of others. He is a published author with his books on PKI Solutions and SSL/TLS Certificates, a Fire Fighter with his local brigade, and an avid snowboarder in the winter.
Please read our Comment Policy before commenting.