SSL/HTTPS School 1 of 3 – “What is SSL/HTTPS anyway?”

We promise this post– and the ones to follow - is going to be far more interesting than its topic!

For a long time now, we have felt a need for a basic guide for SSL certificates, the value they add to an organisation, the potential pitfalls that comes with the management of them, and – most importantly – how to avoid them.

So here it comes, the first out of three posts in our campaign to raise awareness and knowledge about SSL certificates and HTTPS.

Background

The use of SSL certificates (Secure Sockets Layer) or TLS (Transport Layer Security) which is the updated and most secure version of SSL, is as old as the Internet itself. When information started flowing online, it did not take long before a need arose to be able to ensure that no one could eavesdrop on potentially sensitive information.

SSL certificates enable the encrypted HTTPS-protocol to be used instead of the “old” HTTP. The SSL certificate is the “how” and the HTTPS-protocol (which you for example can see in your web browser’s address field on an encrypted site along with a padlock) is the “why”. That is why SSL and HTTPS are usually mentioned in the same sentence. To keep things simple, and avoid unnecessary confusion, we often refer to it as SSL/HTTPS.

Not using an SSL certificate is like putting a letter in the mail using a transparent envelope, enabling everyone to see its content. An SSL certificate encrypts and distorts the information, making it impossible to intercept the information between the sender and the receiver.

Traditionally, the recommendations for when to use an SSL certificate used to be:

• When you have an e-commerce site and handle orders and payments.
• When you have a login on your website.
• When handling sensitive information such as personal data.
• When striving for confidence for your business and your products.

However, in today’s world, things are a bit different.

SSL certificates and HTTPS today

The recent years’ exponential increase in Internet frauds – along with the emergence of the “fake news” phenomenon – has led to the macro trend we are now seeing with a move towards a more secure Internet.

The perhaps most evident example is the blogpost posted by Google back in 2014 where they introduced HTTPS as a ranking signal. A post that has become a modern classic. Google has since developed this aim, named ”HTTPS Everywhere”, and is with both carrot and stick increasing the number of sites using HTTPS in Google Search. The purpose is to provide its users with a more trustworthy result. July 2018 Chrome 68 launched a validation that will be marking all sites that are using HTTP as "not secure".

When it comes to SEO, Google is open about the fact that if two websites are equal in search results, but one has SSL enabled it may receive a slightly rank boost to outweigh the other. However, most perhaps most importantly, according to a survey from HubSpot Research, up to 85% of people stated that they will not continue browsing if a site is not secure.

As a result, the number of registered SSL certificates has skyrocketed during the last years.

To summarize, nowadays the discussion is not about when to use an SSL certificate, but when you dare not to.

Want to check if you have an SSL certificate?

We have implemented a free analysis tool named besafe.online (which coincidentally is also the address of the tool).

By typing your domain name, our analysis tools checks your site for the following:

• SSL certificate – the primary purpose of the site. If so, you get some additional info about the particular certificate.
• DMARC – an indicator (but no guarantee) that your organisation having implemented security mechanisms for preventing email fraud using your domain.
• DNSSEC – a safer version of the standard DNS which prevents DNS-hijacking.

Click here to get to the tool:

In the next part of the SSL/HTTPS-school

In the next part of this campaign, we will discuss the commonly asked question:

“What kinds of SSL certificates are there, and which should we use?”