What is HTTPS?
HTTPS stands for Hyper Text Transfer Protocol Secure. It's the same as normal HTTP (the language used by browsers and web servers to communicate), except that the secure version (accessed by putting
https:// in front of the domain name) ensures that the any communication between the browser and the server is encrypted.
Why should I use HTTPS?
There are quite a number of reasons for using HTTPS.
Capturing private or sensitive information?
If you are capturing information entered by your website visitors then you need to use HTTPS. You have;
- a moral and, highly likely, a legal obligation to keep visitor's information private,
- a technical challenge capturing sensitive information,
- resistance from website visitors.
My visitors are important to me
Of course they are... so if you do not secure your website then there are possibilities that data about you and/or your visitors can be used to reveal behaviours and identities about your website or your user's. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your visitors to make inferences about their behaviours and intentions, and to de-anonymise their identity. For example, employees might inadvertently reveal sensitive personal information to their employers by reading unprotected articles about subject matter like health or medical conditions, gaming, alcoholism and more.
Search Engine Optimisation
Search engines are interested in one thing, delivering value to their users. The best way to do this is to offer quality results about reputable websites likely to satisfy the visitor so they come back and use the search engine again. One of the many elements the search engine will consider when making such an assessment is "how safe is the website for the visitor?". Search engines are starting to take this complex area increasingly seriously. Google, for example, has had a number of initiatives running for many years, combining automated processing with human curation to remove websites that are not acting in the best interests of their customers. A couple of examples includes their safe browsing initiative, which is an example of how the use of machines and software can be used to fight malpractice, and the Search Quality Evaluation Guidelines which allows humans to feed into the process where machines can't.
All of the discussion so far means that major search engines like Google will penalise your website if you don't use a certificate.
Which Certificate is right for me?
As is the case with most things in life, situations are always more complex than they appear at first examination, and website certificates are no exception. Before we look at the differences between certificates, let's have a look at what they are how they work.
What exactly is an SSL Certificate?
An SSL certificate comprises 2 keys made up of randomly generated numbers. One is called the public key and the other the private key. The public key is, as the name suggests, in the public domain and can be used to encrypt any message. To decrypt the message you must hold the private key. Without the private key the communication (encrypted by a modern key set) will not be decipherable, even with the help of significant computer power.
Where do I get a Certificate from?
Certificates are easily created. The tools are commonly available and they often only require the creator to answer 3 or 4 simple questions about the domain the certificate if for, who issued it and so on. You may be thinking to yourself, "well that doesn't sound very safe, what's to stop someone creating a certificate for my domain and pretend to be me?". This is where the Certificate Signing Authority (CSA) comes in to play. Modern software and systems capable of using certificates are aware of CSAs. These are organisations (and there are hundreds of them) that are trusted to issue a certificate. Depending on the certificate they have various checks they carry out to make sure you are the legitimate owner of the domain, they issue the certificate, you install it and any browser accessing your website will trust it because the CSA is known to your browser.
What types of certificate are there?
There are broadly three types of SSL certificate;
1. Domain validated
Domain validated (DV) certificates are the most basic certificate, described above. The CSA has validated you are the legitimate owner of the site and that your site is to be trusted. Domain validated certificates range in price from free to a few Pounds per domain per year.
2. Organisation validated
An Organisation validated (OV) is the same as a Domain validated certificate, however, the CSA carries out additional checks about the organisation. Once they have satisfied themselves as a result of these checks they will add the name of the organisation to the certificate, listed in the Secure Site Seal, giving your website visitors more confidence about your website. OV certificates vary in price but often start at £50 or £60 per domain per year and rise rapidly from there.
3. Extend validation
The problem with an Organisation validated certificate is that website visitors need to do a little digging to get the information. With extended verification (EV) the CSA will carry out extensive checks, including contacting you directly, to verify who you and your organisation is. Once issued and installed, any website visitor will be presented with your organisation in the browser bar, giving your visitors (and search engines) a lot of confidence about you and your website.
4. Wildcard certificates
Wildcard certificates come in all flavours; DV, OV and EV. They are called wildcard certificates because they allow the domain owner to add subdomains without the need to buy certificates for each subdomain. The most obvious use would be to secure your domain with and without the
www., allowing users to visit your site by typing in
https://www.ithinkfinance.com or by typing
http://ithinkfinance.com. It is possible, with the use of Server Name Indication (SNI), to install multiple certificates on one IP address to achieve the same result, however, there is a cost and technology tradeoff to be considered as wildcard certificates attract a significant premium.
So what would you recommend?
We don't hesitate to recommend installing a certificate. Which certificate you get and from whom is quite another matter. It depends on your technology, your knowhow and your budget. If you operate a YMYL website then installing an EV Cert should be a priority. For any other type of website we suggest you get a certificate from a provider that suites your processes and your pocket.
If you use cPanel then we would recommend using the Let'sEncrypt. If you don't see it in your cPanel then contact your administrator and get them to add the plug-in. If you don't use cPanel and administer or have someone who administers your web server then there are quite a number of ways to automate the installation and renewal of your certificates - and best of all, it's completely FREE!
What else do I need to know?
When to add your certificate.
If you are starting a new website then add your certificate as early on in the process as possible. This will reduce the possibility of things getting in a mess. If you use a Content Management System (CMS) like Wordpress then it is important to try and add the certificate early as Wordpress starts to save information in it's database referring to
http:// rather than
https:// which will cause you problems and could take some time to track down and fix.
My website is already running without a certificate
That's OK, as long as you plan the addition of the certificate carefully then this should not be a problem. The key to a successful migration to HTTPS is plan, plan, plan! It is imperative that you plan the migration properly as failure to do can seriously affect your rankings. Search engines may push your pages down the index or remove the page all together. For more information see our Guide to HTTPS Migration or read Google's thoughts about why you should use HTTPS.
Do certificates last forever?
No, certificates do not last forever. Certificates have to be renewed at intervals. How long they last is dependant on what type they are and where you get them from. Most certificates, especially OV and EV certs generally last for 12 months. These need to be manually renewed. Renewal of EV certs is less time consuming (as the CSA already knows who you are) than getting a new one but should still be done in plenty of time to avoid the certificate expiring and a new one not being ready for installation.
Other certificates, such as those from Let's Encrypt, tend to last for shorter periods but are renewed automatically, removing the need for you or your system administrator to get involved.
Can I change my Certificate provider?
Absolutely! You are free to change your CSA whenever you want, although plainly this only makes economic sense when your certificate comes up for renewal. Bear in mind that changing your CSA if you are using OV and EV certificates means the new CSA will have to verify you from scratch which can take some time.
How does my CSA verify my organisation?
Each CSA will have their own process of verifying who you and your organisation are. They do this by contacting you and also by checking various public registers to see if the information you have provided when applying for the certificate is valid. If you are based in the UK then you are advised to ensure that your company is registered with at least one, if not two mainstream business directories like Yell.com, preferably in plenty of time before the check takes place.