HTTPS and SSL

You’ve probably noticed that when you visit online shopping sites, there’s usually a little green symbol or padlock on the left of the address bar. The URL or website address of the website also starts with https:// instead of the much more common http:// prefix.  What HTTPS tells you is that the website has an SSL Certificate and that communications between you and the website are encrypted, and secure. This post is about whether you should have an SSL Certificate on your website too.

ssl locks

What’s it all about?

HTTP and HTTPS are acronyms used to describe internet communication protocols. Their full titles are ‘Hyper Text Transfer Protocol’ and ‘Hyper Text Transfer Protocol Secure’. The important difference between them is that HTTPS creates a secure channel over what is an inherently insecure network (the internet) and HTTP doesn’t. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server and is used to prevent confidential user information including credit card details, passwords and so on from being intercepted.

What does that mean, in English?

In simple terms, when you visit a website, information is being sent back and forth between your computer and the internet server the website is on. For example, each page you read on this website has been sent from our server to your browser.

If you write your email address, phone number, name, password or credit card number (etc) on a website and then click ‘send’, all the data is sent across the internet to the website. If a hacker wants, he or she can intercept communications coming and going from a particular website.

In the case of an http website, the data is not encrypted so a hacker can read, copy or do whatever they like with it. They can even inject their own code or malware / adverts to the data and resend it.

If the website is an https website, the data sent between you and the server is encrypted. A hacker can still see data is being sent to and from the website, but he can’t read it or interfere with it. Https is a lot more secure, in other words.

wordpress security

Do you need SSL?

If you plan to incorporate an online store with on-site payment facilities where you take credit cards, or use certain payment gateways, the answer is yes. If you want to add an extra layer of security to your site, for example to protect user passwords and prevent advert injections, the answer is yes. If you want extra brownie points from Google, the answer might also be yes, as they have said they slightly favour sites with https.

Until recently, website owners generally only used SSL – HTTPS if their site included an online store. As the encryption of communications adds an extra step before a webpage can be shown to a visitor, making the site slightly slower, many website owners were reluctant to use an SSL certificate unless necessary. These days, with the constant risk of hacking, more and more sites are starting to switch to using SSL, even if they don’t have ecommerce facilities.

How do I get https?

If you want your website to use https, it means you need to obtain a valid SSL certificate. The SSL certificate, which you may or may not have to pay for, then needs to be attached to your hosting. Some are now added in a one-click process, whereas some require a little more work. There are also different types of SSL Certificate, which we won’t go into here.

There are still several ways of obtaining and adding an SSL certificate to hosting, and the way to do it depends on your particular hosting company. So, for information on how to add an SSL Certificate to your hosting, speak with your hosting company. They’ll almost certainly have a step by step guide on what to do, and some will even install the certificate for you, if you ask nicely!

Free SSL Certificates!

Free, as in Free Beer. Unless you have a specific need due to your e-commerce partner, you can get SSL certificates for free. One way is to use “AutoSSL” which can be enabled by your hosting company, or which you can manage yourself through WHM if you have it. This provides your domain with an SSL certificate for 90 days. It is then renewed automatically every 90 days.

Similarly, you can also get a free SSL certificate from LetsEncrypt (https://letsencrypt.org/). Let’s Encrypt is global Certificate Authority (CA) which lets people and organizations around the world obtain, renew, and manage SSL/TLS certificates. These certificates can be used by websites to enable secure HTTPS connections. Let’s Encrypt offer Domain Validation (DV) certificates but not Organization Validation (OV), Extended Validation (EV), or wildcard certificates, because issueance for these certificates cannot be automated.