What is SSL?
SSL is the technology that encrypts messages between web browsers and web sites. Those messages include passwords and user names as well as credit card data and information collected through contact forms.
TLS or Transport Layer Security is the protocol that is used to implement SSL these days. Strictly speaking, SSL was a protocol, but it has been replaced by TLS but most people still call it SSL.
Why is SSL important?
Google, in its never ending quest to make browsing the internet better and safer for users, puts SSL at the forefront of its algorithm for page rankings. Put simply, you are at a disadvantage if your website does not use SSL certificates.
Practically speaking, even if you don’t sell things from your web site, you should protect your login details as the administrator.
How does SSL/TLS Work?
With TLS, the data that users send to a website (by clicking, filling out forms, etc.) and the HTTP data that websites send to users is encrypted. Encrypted data has to be decrypted by the receiving computer using a key. This is how that process works:
- Secure communication begins with a “TLS handshake” in which the two communicating computers open a secure connection and exchange the public key
- During the TLS handshake, the two computers, usually a browser and a web server, generate session keys, and the session keys encrypt and decrypt all communications after the TLS handshake
- Different session keys are used to encrypt communications in each new session
- TLS ensures that the party on the server side, or the website the user is interacting with, is actually who they claim to be.
- TLS also ensures that data has not been altered en route, since a message authentication code (MAC) is included with transmissions.
Three types of SSL:
- Extended Validation (EV SSL),
- Organization Validated (OV SSL)
- Domain Validated (DV SSL).
The encryption levels are the same for each type – what differs is the validation process required for each type.
With an EV SSL, the Certificate Authority (CA) checks the right of the applicant to use a specific domain name and it checks that you are who you say you are – so all of the information in the DNS records must match and your contact details will be checked, by email and usually by phone call. This type of certificate is a good idea if you are the kind of entity that absolutely requires trust – e.g. a government or if you are doing e-commerce then this will give a greater level of reassurance than OV or DV SSL.
Organization Validated (OV SSL) Certificates,
The CA checks the right of the applicant to use a specific domain name and carries out some vetting of the organization. This additional information is displayed when you click on the padlock symbol next to the URL in Safari. OV SSL confirms who the owner of the domain is, this is the minimum level of SSL we would recommend to anyone doing e-commerce.
Domain Validated (DV SSL) Certificates.
The right of the applicant to use a specific domain name is checked but, no further checks are carried out nor information displayed. This type of certificate is often free and in our opinion is perfectly acceptable if all you are doing is gathering information for a mailing list. The email addresses are encrypted and the burden of trust is on the website itself rather than the identity of the owner or the organisation behind it.
Let’s Encrypt is a non-profit certificate authority issuing TLS certificates. The certificates are functionally identical to those issued by paid organisations like Sectigo and Let’s Encrypt are supported by many if not most web hosting companies.
For WordPress users, the simplest way forward is to obtain your certificate via the hosting company – they will then install it. All you need to do is change the http://mydomainname.com entries in the WordPress admin console. These can be found under Settings -> General in the fields WordPress Address & Site Address.
One more thing – up until this point, your site has been running on http. So all of the URLs regarding images and so on, stored in the database and output to the web page are using http. This can be changed in two ways.
- Really Simple SSL is a plugin for wordpress that rewrites the http URL’s on the fly. Naturally it has some impact on performance so its good if you don’t want to meddle with your database and not so good if you need those extra seconds of performance.
- Search and Replace is a plugin that enables you to search for character sequences in your database and replace them. Be very sure that you know what you are doing before committing to write changes to the database as this can break your website. Fortunately there is a ‘dry run’ capability that will show you the fields that will be changed and the effect of changing them. The most common mistake is to swap https://helterskelterdesign.co/ with https://helterskelterdesign.co – that would give you URL’s like – https://helterskelterdesign.cohelloworld.html which would cause a 404 error – what you want is https://helterskelterdesign.co/helloworld.html – which is the proper formulation. Be sure to run in ‘dry run’ mode and doubler check the proposed changes. The search and replace strings need to be identical other than swapping http for https.
Once you have completed this last step, you should be seeing none of the dreaded “Mixed Content” warnings in Google Chrome, your SEO ranking will be safe and your web site trustworthy.
Inspecting a Certificate
You can inspect the certificate of any website by clicking on the padlock icon that you see next to the URL in Safari, Firefox or Chrome. At minimum this will tell you who the issuing authority is.
In addition to being merely sensible, since Google added it to their ranking algorithm, SSL is effectively mandatory. That is a good thing for everyone, making the web a much more secure place to be.
Installing a certificate from Let’s Encrypt is usually a one-click operation, so it isn’t nearly as complicated as it used to be.
Growing a business? We’ll deliver Insight direct to your inbox.
Once a month actionable tips to put your website front and centre..