What is a SSL Certificate and how does it work?
You may have noticed when you’re shopping online how your web browser shows a padlock and the words SECURE in the URL field at the top of your screen. Without you realising, your web browser (i.e. Chrome, Internet Explorer etc) has established a secure and encrypted channel to the website you’re browsing. It’s like a spy movie – your communications at that point have become encrypted so the conversation that you’re about to have with that website is completely secure.
In other words, all the communication between your web browser and server are turned to gibberish using the encryption method so that anyone who intercepts the messages sent from your computer to the website (such as your name, address and credit card details) is protected.
The system that is being used when this happens is typically described as PGP or Pretty Good Privacy.
“Pretty Good” is an understatement of such scale that only a coder could come up with it. Essentially, PGP relies on a system of two keys – one private and one public. These days, the keys used to encrypt and decrypt messages are 2048 bit keys so that’s two keys needed to read any message encrypted with this method.
So how long would it take to break a PGP encryption? Well, according to the mathematicians, a VERY, VERY, VERY…. long time. Indeed, just to break one communication would take a standard PC a lot more time than there’s ever been since the birth of the universe! And that’s just to break one code – you have to break two!
So, it’s pretty secure and if you ever watch a movie where the hero breaks a PGP secured code in seconds you’re allowed to laugh and walk out of the movie.
That doesn’t mean that your information is completely secure though. Most servers and peoples computers are still secured with pretty lame passwords which can be cracked using a brute force attack and quite often hacking these days is done using a phishing attack by email (sending someone a fake email to get them to log into a fake website thus capturing the password). So the weak point of all security systems in place is us humans not the algorithms that are used to secure the data.
What’s happening when you visit a website protected by an SSL Certificate?
Unless you’re a mathematician, it can melt your brain if you try to work it all out but essentially what’s happening is that your web browser (Chrome or IE) sends a message to the the website and asks it to validate itself. The website then sends a public key back to the browser. This is one of the two 2048 bit keys that is required for the completely secure communication.
In PGP we don’t mind that one of the keys is public because in order to read the message you need to have the private key. You can’t decrypt a message using a public key.
Along with the public key, the website sends a certificate of registration that the browser can validate with a third-party – the organisation that supplied the certificate. So it checks with the certificate authority that the key is genuine before using it to encrypt the message. This is the bit that you have to pay for when you’re buying the SSL certificate.
To install an SSL certificate on a server you have to prove you own the website you’re securing and you can only buy a certificate from a few suppliers so further enforcing the security. New providers are coming along all the time and with Google pushing website owners to secure all websites the costs are consequently coming down.
Why does my website need an SSL?
When I started building websites, the only time you needed an SSL was if you had something on the site that took information from your users that you wanted to secure – things like credit card details in the main but occasionally we also protected sites that took more personal information.
Ecommerce website for example were always protected. Taking credit card details on websites has potential risks that i’m sure you’re familiar with these days so website owners obviously wanted to protect their users and conform to the regulations on security (often referred to as PCI compliance).
And that’s the way it’s been for years until Google decided to push their agenda onto website owners.
It started in 2014 with Google tweaking their search algorithm to prefer sites with an SSL then late last year they decided that any site with a form, regardless of whether it takes credit card details or not, needed to have secure communication between user and website – thus all sites with a form needed an SSL.
With Chrome being the most popular browser and Google being the most popular search engine they have a huge influence over website owners so basically whatever Google says you should do, you do! Their goal is to push all website owners to have an SSL regardless of whether you have a form on your site or not.
You might wonder why a site without a form would need an SSL – well, so am I. Essentially, the only other information that your browser is sending to a website typically is possibly your location (depending on your browser settings), information about your computer, browser etc and… that’s about it.
Google has changed their Chrome browser to display a warning to users when the site they’re visiting isn’t secured with a SSL. Users to your site could see a warning like this when they come to your site…
The “Not secure” text will appear next to your website address in the browser. Not really something you would want your prospective customers to see really, i’m sure you’ll agree.
Eventually though, it gets worse – this is what Chrome users will eventually see…
A big red warning about your website! You definitely don’t want that.
Now, take a look at the top of this browser window. Our Lobster site is secured with an basic SSL certificate and so we get the padlock icon with the word “Secure” in green. A much better way to reassure your website visitors.
Considering SSL certificates are cheap (and some are free) and it’s a simple thing to set up, is it really worth not getting it sorted out?
What other security measures should I be considering for my website?
I’ve been telling my clients to secure their websites for years. At Lobster we’ve seen a lot of hacked websites over the years and the fact is that if your site has any sort of regular traffic and search ranking then it’s going to get attacked by malware eventually.
So I recommend website owners do these things:
- Make sure your site is backed up daily
- Set up a regular malware scan (using a service such as Sucuri.net)
- Put your site behind a firewall that will stop traffic from known blacklisted sources
- Get an SSL
We’ve tested a number of these solutions and the options available so if you would like some advice just get in touch.
In the very near future, all of these security features will become standard practice for web designers to implement for new clients but if your site is already running then you need to speak to your website designer or hosting company about getting these things implemented asap, especially the SSL – the sooner you do it the better and you’ll get a boost from Google in the search results as a thank you.