Most businesses have joined the bandwagon by taking a relatively simple step to make their websites secure: They’ve purchased an SSL certificate and implemented HTTPS. Some businesses are still lagging when it comes to this important step.
Uh oh! Website not secure!
Here’s an example of what employees may be saying about this:
Joe: I’m getting warning messages when I go to certain websites using Chrome. They say this:
Clicking on the 🛈 I get this:
Hey, when I use a Microsoft Edge browser I get something else:
Angie: Uh oh! It says that when we go to our own website!
Joe: Yikes! Makes me want to leave. What does that mean, not secure or isn’t encrypted?
Angie: I’m not sure, but we need to look into this. Visitors might leave our website when they see this!
What it means
The messages refer to something called an SSL certificate and whether one has been applied to your website’s data transfer between a website and a user.
Having an SSL certificate means that the data is encrypted during the transfer and is probably more secure than a website operating without one.
When an SSL certificate is applied to your website, you’ll notice that the entire HTTP protocol displays in its address bar and that an “s” has been added after the HTTP part along with a lock symbol. Think of the “s” as representing “security.”
The “Not secure” or “isn’t encrypted” warning messages are also gone.
Who would want my information, and why?
Hackers, that’s who. Don’t think they’re not out there, or at least not where you live or travel.
It’s relatively simple to add sniffer software to any public network—at a coffee shop, hotel, conference—anywhere there’s a network or Wi-Fi that numerous people can access.
Hackers can find out what sites people are visiting and what they’re looking for, or steal personal information from your visitors that has not been transferred securely.
Here are several of many hacker strategies that can be used without an SSL:
- Fill your name, address, email, or phone into a form – the hackers have it.
- Enter your credit card information – they just struck gold.
- Log in with your username and password – they have that too, and everything you have stored behind that password.
- Enter a website URL you know – hackers might use “phishing” strategies that send you to a different website than the one for which you entered the address. They often look very similar and trick you into thinking you’re on the right website. Then they do their damage by collecting your personal information.
In highly competitive businesses, hackers may be looking for search patterns at competitor websites to try to steal their top customers or perhaps their marketing strategies.
To avoid these situations and help keep things more secure for your website visitors, applying an SSL certificate to your website is the first step.
How do I get an SSL certificate?
SSL certificates themselves are available from your website host or a number of third-party vendors.
Some are available at cost, while others are free of charge, depending on your host. Either way, they must be renewed on a consistent basis, usually annually.
Top Of The List can assist in this process, as it can get complex very quickly.
How much do SSL certificates cost, and what’s the process?
The cost of SSL certificates range from free-of-charge to over $1,500 per year. Several factors affect their cost:
- The vendor who provides the certificate
- Level of encryption (40 bit up to 256 bit)
- The layer of the certificate (root or browser level, or chain/intermediate level) that is implemented in lower layers on the server)
- Security options
- Number of domains secured
- Validation required
- High Assurance Certificate – Ownership of domain name only
- Low Assurance Certificate – Ownership of both the domain and the business name
- Support options
- Warranty – an amount the provider may pay to your customer if it issues the certificate incorrectly and they were a victim of fraud due to certificate error (very rare)
You must apply for an SSL before it can be purchased.
To apply, you’ll need to provide validation that you indeed “own” the domain for which the certificate applies. Depending on the certificate level, your company may need to be validated to ensure it is in good standing digitally speaking and that you are who you say you are.
Behind the scenes, there are many things happening:
- Checks are made on the accuracy of your company’s WHOIS record
- A Certificate Signing Request (CSR) is generated with the information you provided when applying
- The CSR is submitted to a Certificate Authority
- Your domain and company are validated
- Finally, you’ll receive the certificate
How do I know which features I need?
You can read up on this if you like, or you can work with someone to help you decide. The more information you have to protect for your users, the higher the protection you should purchase in your SSL.
Do you have places where someone purchases an item or logs in with a password, or is it lower level like completing a contact us form or signing up for a newsletter? Has your site been hacked before?
Answering questions like this can help decide what level of protection your site needs.
Once purchased, will it automatically make my site HTTPS?
No. Simply purchasing an SSL doesn’t do anything at all to make your website safer. The certificate needs to be installed on your website to make that happen.
The installation process depends on the server your website uses and the type of certificate purchased. This can be simple but can get complex very quickly. Best to leave this step to whoever is assisting you.
Is it risky to move my site to HTTPS?
It is technology, after all, and unexpected errors can happen.
Ensuring your site is backed up before starting, performing the operation at a time when the least number of visitors go to your site, and having a plan to revert back seamlessly are all important safeguards that should be in place.
Will my website still work if using HTTP and not HTTPS to get there?
An additional step is taken to make sure all pages are being redirected to the HTTPS version. When performed correctly, your site should show the same URL with HTTPS in it regardless of the method a person uses to get there:
- http://examplewebsite.com
- http://www.examplewebsite.com
- https://examplewebsite.com
- https://www.examplewebsite.com
With or without the ending slash “/” also.
Will moving to HTTPS affect Google searches?
According to Google, HTTPS sites are a factor in its ranking algorithm. Google wants all sites to be more secure and this is a strategy they are using to encourage sites to make their sites more secure.
Are there any other SEO tasks to do?
Well, yes. There are if you’re concerned about SEO because the extra steps are ones that are part of your website’s overall health. This is another factor in Google’s ranking algorithms. If you’re not concerned about that, then your site will work just fine without these extra steps:
- Internally, your website navigation and links are probably using the HTTP version. These will be redirected (like a mail forward) to the HTTPS version of your site for the user. But it is an extra step from a digital perspective, and one that has an effect on the health of your website. For best results, these should all be changed to HTTPS.
- Other websites linking to your site — a big factor in Google’s ranking algorithm — are also using the HTTP version. As many of those as possible should be changed to HTTPS to make those links as powerful as they can be.
- Check your XML sitemap—a sitemap for search engines only—to ensure it is displaying the HTTPS versions of all your URLs. Many times the sitemap is automated, but sometimes the automation doesn’t work unless extra configuration is performed.
Finally, if your site links to sites outside your domain, it’s a good idea to check those and do the courtesy of making them HTTPS if applicable. This step makes both your site and the site you’re linking a little healthier.
After moving to SSL and HTTPS, is my site now secure?
Nothing is 100% secure. Even if you do everything to ensure security, hackers can still encrypt the code.
Hackers can get into servers where credit cards are stored. (FYI, they’re stored there even if you don’t buy online.) But moving to HTTPS is still a positive step you can take to make sure your site is more secure, and that your website visitors’ data is safer when visiting your site.
Contact Top Of The List for a free, no obligation quote!
About the Author
Bev founded Top Of The List in 2006 and has over 25 years of experience working with technology. In her free time, she competes in dog agility competitions with her Golden Retrievers, Cosmo, and Finn.