Secure Socket Layer (SSL) is a standard that enables encrypted data transfer between a server and a web browser. A big push to move the entire web to SSL is currently happening with help from leading web browsers and tech companies. Installing an SSL certificate on your website can protect your users from malicious companies, users, and to a certain extent, governments.
An example of how a browser may display a website with no SSL certificate
When browsing a website that does not use SSL your connection to that server is not private and can be intercepted by your ISP (internet service provider) or other users on your network.
The data they have access to is the full URL you are visiting, and any information sent in forms; usernames, passwords, credit card information, etc.
Data is sent back from the server can be intercepted and modified by these users as well. Back in 2014 leading US ISP Comcast was found to be injecting adverts into users of their public Wi-Fi hotspots.
Standard Validation SSL
Example of how a browser might display a secure connection
A standard SSL certificate can be applied to a website to encrypt your connection to that server, so other users on the network and your ISP will not have access to any other information you send to the server other than the hostname which is required to send your request to the correct server. Form data and the remainder of the URL after the first forward slash will be encrypted and only able to be decrypted by the server that owns the certificate.
These certificates are available cheaply or free from providers such as Let’s Encrypt which is an initiative to secure the web, backed by the likes of Google, Mozilla, Cisco, and Facebook.
Extended Validation SSL
An example of how a browser might show and extended validation SSL certificate
An extended validation (EV) certificate is generally used by sites that are targets of phishing like banks or government sites, but also companies that just want an increased level of trust. Often browsers will show a site has an EV certificate by showing the full organisation name in the address bar. They verify not only that data cannot be intercepted and modified, but that the site definitely belongs to the organisation shown in the EV bar.
These EV certificates are much more expensive than a standard SSL certificate and often require a lengthy validation process where the certificate authority will verify your domain ownership, business registration and address, phone number and other information.
Starting in January 2017, Google Chrome will start alerting users that a connection is not secure when entering passwords or credit card information over an insecure connection. This is part of a long term plan to mark all non-SSL connections as insecure, as noted in their announcement in September 2016.
Firefox is already alerting users of these forms in its developer preview channel and is sure to push it out to the main version soon.
Firefox shows a broken padlock when on an insecure page with a password input
If you are not sending any sensitive information such as passwords or credit card information, you may still be interested in an SSL certificate. Google has used a secure connection as a positive ranking factor since 2014, so having one could boost you up to a few places in Google search results.
Looking for information about getting an SSL for your website? Give us a call on 0121 233 2080 or contact us.