One of the pillars of online security is the SSL or ‘secure sockets layer’. If you’ve ever bought something from an online store or used a website requiring a username and password then its more than likely that your confidential details were encrypted by an SSL in order to protect you.
Buying and selling online is one of the fastest growing sections of the retail economy in Europe and North America. According to the Centre For Retail Research Britain leads the European countries in the ecommerce table with expected growth in 2016 of 14.9% taking the online sales total to £60 billion. Part of the reason why online shopping has become an ‘everyday’ activity for millions of people is that ecommerce sites are designed to be as safe as possible so that shoppers are secure.
In this blog I’m going to explain how to identify secure websites protected by an SSL, how to protect your own website and identify which websites need an SSL.
Before we go any further lets just look at why online security matters so much for users and website owners.
Picture this. You go into a shoe shop and use your credit or debit card to buy a pair of smart new shoes for a wedding you’ve got coming up soon. Do you let fellow shoppers crowd around you and scribble down your pin number, account number, name or address as you stand at the till? Of course not – no one in their right mind would dream of doing that.
So why should it be any different online? Just because you’re sitting on your sofa with your laptop ordering that killer pair of shoes doesn’t mean that you’re any safer than if you’re standing in the shoe shop surrounded by prying eyes and clutching a piece of paper and biro. This is where website security comes into play and the SSL.
How can you tell whether a site is protected?
It’s very simple. All you have to do is take a look at the address bar and see if there is either a padlock icon or the letter ‘s’ after the standard http:// in the web address – it will look like this – https://. Not particularly difficult to spot and once you’ve established that the site you’re visiting is safe then you can shop away safe in the knowledge that you’re data is secure.
If there is no https:// and the payment system is a third party one – Paypal forinstance, then as explained that will be safe to proceed. Take a look at the example above.
Where to get an SSL
More good news. Finding a website that provides SSLs is as simple as heading over to Google and searching. You’ll be inundated with websites offering either free downloadable ones or a paid service. You’ll get all sorts of features with premium services such as warranty protection of over $1 million and a support line.
At Teapot we use a company called Comdo to arrange the SSL certificates for the websites that we build. Whether you go premium or free is up to the site owner but given that it’s a form of insurance for your site, you want to be well covered. For us, its all part of the package we provide and it’s likely that if you are having a site built professionally then they’ll cover this for you.
Some websites opt to only apply the security measures on the section of the site that handles confidential information – the checkout if it’s an ecommerce site or when users are submitting their username and password. This is called using Force SSL Exclusively.
How does it work?
Once you’ve downloaded an SSL for your own website you are then registered with the provider and a Root Certificate is issued to you and is digitally embedded in the website. Each time a connection is made between your website and a browser e.g. Firefox, Chrome – the certificate is recognised and your data is protected. All data such as financial information or passwords is then encrypted meaning it can’t be picked up on route by a third party.
When the browser on the end users computer (the site visitor) picks up that there is no root certificate then a warning message will flash up informing the site visitor that the site they’re accessing is not secure. The choice as to whether to proceed is ultimately the end user’s but given that the stakes are high most people will head off to find another more secure website offering the same product or service.
Do all websites need an SSL certificate?
Yes. It simply is not worth the risk you will put your customer’s data or financial information under let alone the damage that can be caused to the website’s reputation. Even the threat of a security breach is enough to turn customers away and into the hands of your competitors and their more secure websites. If you have protection then not only does it show that you take security seriously but if in the event of a data security breach you will have systems in place to cover it.
There is an exception however. Many ecommerce sites opt to use a third party payment system e.g. PayPal – rather than a payment module built into the site itself. In this case all the financial information will be handled by them and will be fully protected by the payment system. In this case the SSL is not vital and is up to the site owner as to what they choose to do.
The answer to this is more black or white. If you’re handling confidential data – usernames or passwords – but not accepting payment then having an SSL crytographic file you against this information being hacked.
If the website handles no confidential information whatsoever then there is no need to worry about one.
Anything else you should know?
Google like websites with SSLs and accordingly the prescence of an SSL is one of the multitude of ranking factors in their algorithm. In 2014 the company announced that they would be making this change as part of their continuing drive to create a safer Internet for everyone.
Be Safe Online
Planning a new website gives you a lot to think about but hopefully you’ll now see that it’s actually fairly straight forward setting up an SSL for your website. When you compare it with all the hard work that building a website and particularly an ecommerce store involves – sorting out suppliers, shipping routes and organising the products and all the other multitude of jobs. Don’t ignore it.
It may be the case that you don’t actually need an SSL but either way you must have investigated the need and be well informed before making your final decision.