Cybersecurity tops the list of online concerns for website owners and users alike. In recent years, large-scale data breaches affecting major banks, retailers, and other leading service providers have made headlines around the world and left users more worried than ever about the safety and security of sensitive personal data they share in the course of online transactions of all kinds. Reassuring users that their data is safe from hacking, identity theft, and other kinds of online crime is essential for keeping customer trust.
Making your website secure with SSL and HTTPS protocols are essential steps for protecting sensitive data collected in the course of doing business and for signaling to users that a website is safe. If your site collects or uses sensitive data in any way, it’s important to know how these two protocols work and how you can use them to protect your website and customers from the latest round of cyber attacks.
What Is SSL?
SSL stands for Secure Socket Layer—a small data file that adds a cryptographic key to data transfer between the web browser and the server through encryption and authentication. To configure SSL encryption for a commercial or professional website, a site owner must obtain an SSL certificate, which acts as a kind of badge that announces to users that the site has been verified and certified by a third-party certification authority. An even more secure variation of SSL is TLS (Transport Layer Security), and site owners can also request verification for this certificate.
Not all websites need an SSL certificate, but having an SSL certificate is essential for protecting sensitive and confidential user data such as payment information, website subscription or registration data—such as an email address or username and password, and documents—such as health records or tax returns.
An SSL or TLS certificate adds an extra layer of website security to any communications passed between browser and server. Certificates are deposited with the server and accessed whenever a website with HTTPS is visited. Site owners can choose from three different types of SSL certificates, depending on the nature of the site and the kind of information it collects from users.
Certificates verified by domain validation (DV) are the lowest and least secure form of authentication. For this type of certification, the certifying authority simply checks whether or not the applicant is actually the domain’s owner. No other information about the company or applicant is checked. Certificates with only domain validation can typically be awarded quickly and relatively inexpensively since there’s very little information to verify. A DV certification works best for websites that have minimal dealings with confidential information and are less concerned about building a solid reputation for secure transactions.
Certificates verified by organization validation (OV) provide a more thorough validation than DV certificates do. This kind of SSL certificate verifies not only domain ownership, but also details about a company’s ownership and any relevant filings. This information is also available to website visitors, which increases a site’s transparency and level of trustworthiness. An OV certificate takes more time to acquire and costs more than a DV certificate, but it provides additional website security for sites that deal with lower level types of data, such as collecting email addresses for marketing opt-ins.
Certificates verified by extended validation (EV) offer the highest level of authentication and security. These certificates can only be issued by authorized certifying authorities and require a review of detailed company information. Because EV certificates are time-intensive and represent the highest level of security, they are the most expensive of the three and are best suited for websites that handle very confidential information such as credit card data.
SSL certificates are installed on the server, and they’re activated once a visitor reaches a site with the HTTPS designation that marks it as secure. Hosting providers can install certificates for their customers, and many allow users to apply for certificates directly through their hosting account. The web server must be correctly configured to accept the certificate, and that process is usually handled by the hosting service.
What Is HTTPS?
Nearly everyone who spends time online has encountered the letters HTTP, which typically appear at the start of every URL. HTTP, or Hypertext Transport Protocol, is a universal, text-based protocol that allows clients—individual pieces of hardware or software—to connect with a server and retrieve data for display. HTTP is an unsecured protocol, which can mean that data transmitted between client and web server could be vulnerable to hacking, phishing, and other kinds of cyber threats.
HTTPS changes that. This protocol stands for “Hypertext Transport Protocol Secure,” which tells all potential site visitors that the protocol transmitting data between clients and servers carries an additional layer of security. Like an SSL certificate, a website with the protocol HTTPS instead of HTTP tells users that data transmitted between the site and the web browser is encrypted and secure. The HTTPS protocol works with the SSL certificate. When a visitor accesses an HTTPS site, that activates the certificate and triggers encryption of the data being transmitted.
Along with the HTTPS protocol attached to a site’s URL, easy visual cues can tell a visitor whether a site is encrypted with an SSL certificate. Sites validated by OV and DV certificates have a green padlock next to the HTTPS, which may also appear as green. Sites with the most secure EV certificates can also include a green search bar. The padlock icon can also tell users information about the state of the site’s certificate. The padlock icon can also be used for other things. For example, a yellow padlock can indicate that a previously issued SSL certificate has been corrupted.
New websites can be configured from the start with HTTPS protocols and SSL certificates, and existing ones can be reconfigured or converted to support these additional security features. But converting an existing website to a more secure version in this way can give rise to some unanticipated problems, since search engines may recognize the site with HTTP and the one with HTTPS as two different websites.
To avoid problems arising from the existence of both an HTTP and an HTTPS site, experts recommend taking time to align all accounts and other activity that could be affected by the switch. That can include reconfiguring all aspects of a site including plugins, analytics, or ads and setting up the correct redirects to make sure that clients get to the desired online location. Switching to HTTPS can also affect existing links on the old HTTP site.
In an age of increasingly sophisticated hacking schemes for stealing or damaging a user’s data, an SSL certificate and HTTPS protocol tell visitors your site is trustworthy and secure and that their most sensitive data is safe with you. To further block your site from hackers, you can also try downloading security plugins that will help to protect your website.