Home » Web Design » Why You Need to Secure Your Website with SSL & HTTPS

If you’re going to start spending money to market your website, first you need to make sure it’s marketable. You want to make sure if you spend money getting people to your site they will actually stay a while. The first step is to make sure your site is mobile friendly. Since most of your visitors are viewing your site on a mobile device, you want to make sure it’s easy to get around. But that’s not the only thing you need to check. You also want your visitors to feel safe and secure; like they can relax… put their feet up… crash on your couch… You do this by giving them a guarantee you are who you say you are, and by encrypting any information they enter into your website. And this all started when people first started using the Internet to conduct transactions.

Wait… did you say billion?

According to a tweet from Pizza Hut the first on-line transaction was for a pepperoni pizza in 1994. But there were online transactions before that. And in 1971 or 1972 students at Stanford and MIT used the ARPANET, the precursor to the Internet, to arrange a cannabis sale; though no financial information was transferred. Fast forward to today and, well, the numbers will just make your head hurt. On November 11th, 2017 Alibaba, China’s version of Amazon, grossed 25.3 billion dollars in 24 hours. But how can it be safe just entering your credit card number, or any information, into a web browser and clicking “Order Now”? (Yes, an argument can be made that it’s not safe — ever. But that’s a different blog.)

What makes a website secure?

Information sent over the Internet is not difficult to intercept. And originally it was all sent as plain text, so anyone could read it. Kind of like putting your credit card and contact information on a post card and mailing it out; anyone along the way could read it. What you would need to do is use your secret decoder ring to encrypt the data before writing it on the post card, and have your friend receiving the card use their ring to un-encrypt it. In 1994 Netscape developed SSL v2 for encrypting data sent over the internet. I don’t think they used a ring.

SSL stands for Secure Socket Layer. As your data is packaged by your browser to send off to your favorite on-line store to get those new striped socks, this is the layer that adds the encryption. SSL has evolved a great deal over the years, with older less secure versions giving way to newer, more robust versions. Now called TLS, or Transport Layer Security, the latest version was approved in March of this year.

In order for a website to use SSL/TLS to encrypt data it needs to have an SSL certificate — it needs to have the secret decoder ring. And how can you tell if it’s doing this? Your browser will tell you. If you visit a website that is correctly using SSL you should see a little lock icon next to the URL in the location window, and it should be green. Also, the URL should begin with https, not just http.

But I’m not selling pizza or weed on my website!

“Okay” you say, “but I’m not selling pizza or weed on my website. What do I need SSL for?” In the past, if you were not taking any sensitive information on your website, you didn’t need to have an SSL certificate. And most people probably couldn’t tell if you were properly using one anyway. But that’s changing…

Today, all kinds of data is being entered into websites. From login names and passwords, to banking and medical information. And users are much more wary of entering their information online. And for all those who aren’t aware, Google has their back. To make the Internet a somewhat safer place Google has decided that all websites should be using SSL certificates. And Google has a way of getting what it wants.

How do you recognize a secure website?

Originally, your browser only told you when a site was secure. Now, not only will you see an indicator a site is using SSL and is secure, but also you will see an indicator a site is NOT using SSL and is NOT secure. It started slowly, with browsers marking pages as not secure. Then browsers started marking sites not using https: with a little icon that when clicked informed them the site was not secure. And in July of 2018 Chrome will start adding “Not secure” next to the URL of any pages not using https. Additionally, Google has added whether or not a site is secure as a ranking signal. So how well your site comes up in the search results in Google is also affected by not having an SSL certificate.

How do I make my website secure?

So buy a certificate, slap it on your website, and you’re all done! Well, not quite. You have to have a certificate in order to encrypt data, but then you have to access all data on your site via https and actually use the certificate. All data pulled into your site should be accessed only via https; your images, your styles sheets, your script files, they all have to be accessed securely. And if you are pulling anything in from other sites, they will need to be pulled in via https as well. If you’re taking an existing site that has been around a while, and trying to make it secure, it may take a bit of work.

And remember, you’re not just letting your users know your data is encrypted, you’re also giving them a guarantee you are who you say you are. Part of the process of getting a certificate is the issuer validates who you are. But there are different ways of doing this, and not all certificates are created equal.

The certificates that are the easiest to get, and often free, are the ones that only validate that you have access to the domain you’re trying to secure. If you can make a change to the DNS record of the domain, or upload a file to that domain, then you will get verified. These generally only take a few minutes. There are also certificates that validate the organization that owns the domain, and extended validation certificates that require quite a bit of paper work and can take days to process.

We need to secure our website – hand me that padlock.

Which one you need depends on what you are doing with your website. If you are not asking for any sensitive information, and just want to have basic security and be a secure site in Google’s eyes, then a domain validation certificate is all you need. But if you are asking your users to enter credit card numbers, banking data, medical data, or any other sensitive information then you would want an organization validated certificate or even an extended validation certificate. Not sure what you need? We can help.

You’re getting close to having a website worth marketing. You’ve made sure it’s responsive and mobile friendly. You’ve made sure it’s secure and your users know it’s a safe site to visit. There’s one more thing you need to consider. Is your site fast? Does it load quickly? You’re not making people wait are you? Cuz — they won’t. Next up, we’ll talk about speed. But right now, I’m kinda hungry for pizza…