She was livid.
“Two #$%^&* hundred and fifty #$%^&* dollars for an SSL #$%^? Every #$%^*& year? Just to take those #$%^&* browser warnings off my website. Do I really need to pay that?”
The short answer? No. Not by a long shot.
Why do I say this? Let’s jump right in.
FACT: A More Secure Web is a Good Thing
When you connect to a website using the old-fashioned HTTP protocol, the messages between your browser and the web server are sent across the internet in plain text. So anyone who intercepts them can see everything you read and type on these websites.
The scary part? Getting access to this traffic doesn’t always require the latest North Korean cyberhacking voodoo. It can be as easy as using the same public Wi-Fi.
It gets worse. The average home wireless network has also never been patched for highly publicised security holes and small business computer networks can be compromised in all sorts of ways.
And even if you get all of that right, you’ve no control over the security of everyone else’s system your traffic travels through. That’s a worry – especially if you’re sending passwords or credit card details.
This is why so many Silicon Valley big wigs are pushing website owners everywhere to switch over to the HTTPS protocol – which encrypts all the traffic between browsers and web servers.
All the major browsers now display warnings to users who submit data to an unencrypted website. And major search engines are penalising unencrypted websites in the search engines too.
Which is why so many small business are picking now to put their websites on HTTPS. And to do this, you need an SSL certificate – a small data file that ties cryptographic keys to your organisation’s details.
Who Needs an SSL Certificate?
The usual advice is that encryption is essential if you handle credit card details or passwords. But I reckon there’s a strong case for it even if you don’t.
People have all sorts of reasons to not want others snooping. This is true whether your website discusses medical problems, matters of the heart, important business decisions, or something else entirely.
And if you’ve got a contact form? Then it’s definitely nice to offer an encrypted connection. We’d all rather we could send a message without the creepiest guy in the cafe peering in.
Why Not Just Make Your Own Certificate?
Ok, so these things are just files, so can’t you just make your own? Using web server software, that’s actually pretty easy. This is known as a self-signed certificate and it encrypts your data just as well as one you buy.
So why pay for one?
Well, picture this: a hacker has hijacked your customer’s computer and is redirecting the traffic to your website to a server they control in an effort to steal credit card or password information. What would stop them from from replacing your self-signed certificate with their own?
Nothing. Because anyone can make one.
That’s why web browsers show warning messages about self-signed certificates – because there’s no way to tell they’re legit. What the browser wants to see is a certificate that’s been issued by a recognised Certificate Authority. It’s about being able to trust that the website is who it says it is.
Should You Care About the Warranties?
One upsell technique on SSL certificates is with the size of the warranty. It’s rarely made clear that this warranty isn’t for you: it’s for your customers.
So, unless your customers are typically spending more than $10,000 on your website, there probably isn’t any difference between a $10,000 and a $500,000 warranty.
In practice, the size of the warranty is unlikely to influence anyone’s decision to do business with you. Very few end users realise SSL certificate warranties even exist. If they feel they’ve been defrauded, they’re much more likely to take it up with their credit card issuer.
Single name, Wildcard and Multi-Domain Certificates
One important way that SSL certificates differ is the amount of domains and subdomains they cover.
A single name certificate covers just one subdomain – such as yourdomain.com or www.yourdomain.com. For a typical small business website, this is all you need.
But what if you’re using several subdomains? Perhaps blog.yourdomain.com and forums.yourdomain.com? Then you need a wildcard certificate, which can cover every subdomain on your website.
And if you have a whole stable of websites on separate domains, there are a multi-domain certificates.
Wildcard and Multi-Domain certificates cost a bit more, but might save you money compared to buying single name certificates for every domain and subdomain.
The main way that SSL certificates vary is with the extent to which the Certificate Authority will vouch for your identity.
The most basic level is domain validation, often abbreviated as DV. This just confirms that the server you’re connected to belongs to the legitimate owner of the domain. This is easy to automate – it’s usually just an email verification. This helps make these certificates cheap. These cost between $5 and $50 a year – and there’s even a Certificate Authority hands them out for free! More on that in a bit.
The next step up is Organisation Validation, or OV. This puts your business name on the certificate as well as your domain name. This requires a bit more work to verify your identity – it usually involves a phone call, some address details and so on. These cost around $150 a year.
And if you want your certificate to come with a top hat and a monocle, there’s Extended Validation, or EV. This is how you get the name of your business in green text next to the padlock at the side of the address bar. This requires a thorough vetting of your business and costs around $200-300 a year.
Unpopular Opinion Time: The Cheap Stuff’s Fantastic
Some guys who sell this stuff won’t like what I’m gonna say here, because it might save you money.
The advice you’ll read over and over is that DV certificates should only be used on internal company websites; any public facing website should have an OV or an EV certificate.
But can I let you in on a secret? From an IT guy’s point of view, the level of security is exactly the same.
It comes down this: what are you actually looking for from an SSL certificate?
For most small business owners it’s something along the lines of “I hate those awful browser warnings” or “I need my customers to be secure”. Does that sound like you? Then a DV certificate is perfect.
An OV or EV certificate doesn’t get you better technology or a more secure website. But you do get the Certificate Authority vouching a bit more for your identity.
And if this is important to you, then OV certificates look like terrible value for money. It’s more work, it costs a lot more, and at the end of it your website looks exactly the same.
I mean, in theory, anyone who clicks the padlock icon will see your business name on the certificate and perhaps trust you a bit more. But let’s be real here – how many humans look at this? For all intents and purposes, it’s invisible.
With the EV certificate, you get your business name in green text next to the address bar. Few people know what this means, but it still looks nice and reassuring.
Whether a $250 SSL certificate is any real sign that a website owner takes security seriously and isn’t in the Russian Mafia is an angry rant I’ll save for another day. The fact of the matter is that having this extra green text in the address bar definitely helps you look more legit.
So if you’re a Bitcoin exchange or some kind of financial service, you probably want it. Ditto if you run a shopping cart – and especially if you’re generating traffic through online advertising and asking for a credit card number five minutes later.
For most freelancers, consultants and tradies who market through word-0f-mouth, online and offline networking, referrals, content marketing and so on.. you usually ask correspond with new customers a bit before taking payment. Having a green business name on the address bar might not be all that big a deal for you.
Who Else Wants SSL Certificates for Free?
Let’s Encrypt is a non-profit Certificate Authority that gives out SSL certificates for free. Anyone with a domain name can get one within minutes.
These certificates are only valid for 90 days but can be set up to renew automatically. At the moment, they’re only offering single name certificates, but wildcard certificates are on the way.
The Most Important Thing is Configuring it Properly
If you remember nothing else from this article, remember this:
A cheap or free certificate that’s set up properly is a zillion times more secure than an expensive one that’s not.
Migrating to HTTPS can be complicated. For most business owners, it’s a bit too fiddly for a DIY job. If it’s not done properly, you might still get horrible browser warning, your customers might not be secure, or your certificate might expire without automatically renewing, leaving you to deal with all of it all over again
So getting the right person to handle your migration is far more crucial than which certificate you buy. If you want to double check their work, here’s an SSL checker.
Encrypting your website also means that all your URLs change from HTTP to HTTPS. So you want the right redirects in place so that all the links to your website still work.
Don’t just keep your website available on both HTTP and HTTPS, or your customers who visit the old address won’t be encrypted. My marketing dude also tells me that managing your move to new URLs is a big deal for SEO.
SSL certificates come in many flavours and some vendors use confusing marketing tactics to upsell you. That’s a pity, because underneath that is an excellent and very affordable technology.
So let’s recap:
- Cheap or free certificates offer great security.
- If you need to secure use a wildcard certificate.
- It’s probably not worth fussing much about the warranty.
- An OV certificate does nothing a DV certificate can.
- An EV certificate offers only a cosmetic improvement, but maybe that cosmetic benefit is worth something to you.
If you care about your customers and their privacy, implement SSL on your website. It doesn’t need to cost a packet.