According to several articles seen lately, Google plans to rank secure sites higher than those without SSL certification. The idea, apparently, is to provide an incentive to make the web a safer place. Great in theory, but in practice, not so much.
What Is SSL?
Secure Sockets Layer is an encryption protocol that is used by banks and other sites to keep financial and other sensitive data safe from prying eyes. You may not be aware that if a site is not protected with an SSL certificate, any data sent to the site goes over as plain text. It may be compressed by a process similar to creating a Zip file, but anyone can unzip the data and read it.
SSL was a hot topic a while ago when the Heartbleed security vulnerability was discovered. Unless you live in a cave somewhere, you likely saw all the news coverage and drama surrounding Heartbleed.
In any case, when you visit a self-proclaimed “secure site” and see that little lock symbol show up on your browser, you know you’re on a site secured with SSL. The URL prefix of “https” is also a good indicator.
Can You Use SSL?
In a perfect world, every site would use SSL. There are a number of reasons why more sites don’t use it. First of all, if your site is on shared hosting, like most are, you can’t have your own SSL certificate. An SSL certificate protects a single domain and IP address. If you’re on shared hosting, you have the same IP address as all the other accounts on the same server. Most shared hosts can provide a shared SSL certificate, however, you can’t use your domain with it. Your SSL certificate covers a domain that looks like the following:
http://username.webhostserver.com
While it can be useful in certain circumstances, for the most part, this won’t do what you need it to do.
Update: If you’re willing to pay a few bucks more per month, you can buy a dedicated IP address for your shared account. This will let you purchase an SSL certificate to use on your shared account, but only on one domain. If you have multiple domains on your account, you’ll need to choose which one you want covered by the SSL cert. You would not be able to purchase multiple SSL certs to cover the other domains for the same reason a stated above for shared accounts: all your domains on that account have the same IP address.
SSL Certificates Aren’t Cheap
Reputable SSL certificates are fairly expensive and must be renewed periodically. You’ll need one for each domain you want to protect. The more reputable the provider, the more expensive the certificate will likely be. They can be had discounted occasionally, but the renewal won’t be at the discounted price so the savings is for the short term.
It Matters From Whom You Get Your SSL Certificate
There are quite a few providers of SSL certificates to choose from. You can even sign (certify) your own private certificates, however, that is only useful for in-house networks as no one else will recognize them. The purpose of the certificate, after all, is to assure visitors that your site is safe. The certificate provides that assurance if it’s been issued by a recognized provider. If the provider isn’t recognized by the browser’s file of providers, your site will display warnings or refuse connections altogether in some circumstances. Suffice to say, it pays to go with a well recognized supplier.
A Good Idea, But…
The idea of having all sites use SSL is a nice ideal to shoot for, but not practical for most website owners. Google is only providing a slight boost in rankings for sites with SSL protection which indicates that they acknowledge the burden it would place on small operators. At this point, it’s not something to be terribly concerned about.
Image © Pavel Ignatov – Fotolia.com
John —
My host, A2 Hosting bragged about using SSL certificates for the websites they host — at least they did when I signed up. I just looked and I don’t see mention of that anymore. So if I’m reading correctly, my site on a shared server doesn’t benefit much because we’re all sharing the same SSL certificate, correct?
Thanks for another informative post.
Hi, Jeannette,
A2 does provide shared SSL certificates for all its shared servers. As I mentioned, this isn’t ideal because it doesn’t actually protect your domain, only the domain of the server and the subdomain that represents your account. In other words, instead of “https://writespeaksell.com”, it would be “https://youruser.a2server.com”. If someone tried to connect to https://writespeaksell.com they’d get messages saying that the site isn’t secure because the SSL certificate doesn’t certify your domain as secure.
In order to use A2’s shared certificate, your users would have to know the subdomain and domain for your hosting account which aside from being difficult to remember makes setting up the redirection “interesting”.
In short, you aren’t doing anything on your site that really requires SSL so it’s not an issue, but if you really wanted to you could use the shared SSL certificate provided by A2.
Thanks,
John
John,
One of the things though that is really important is to be sure that the Shopping cart you are using – uses SSL. Many people are installing shopping cart software on their websites and to me that brings up a big concern if their site does not have an SSL. My cart company uses an SSL and actually recommends that we purchase our own SSL – to work with their cart, so that we can put the secure site badge on the site, etc.
Would love your thoughts / comments on these aspect of having an SSL.
Krystalya
Hi, Krystalya,
The shopping cart itself is less of an issue than the payment gateways supported by the shopping cart. SSL is for securing the data transmission between the browser and the site. That’s a good thing if you’re collecting customer addresses and other such data in the shopping cart for shipping physical goods. There is a whole different level of security required for financial transactions. If you were collecting credit card data in your shopping cart and processing the charges through your own merchant account, you’d need something like the Secure Electronic Transactions (SET) protocol enabled on your site. Getting SET implemented is not trivial, by any means. Fortunately, most payment gateways have taken care of that on their end. The shopping cart transfers to their site to collect the payment information and back to your site to complete the order. PayPal is a good example of this, but many other payment gateways operate the same way.
So, I agree, a shopping cart is a situation where SSL should be considered to protect the customer’s information. I need to update the post because I have found that you can get a private SSL certificate for a shared hosting account if you also buy a dedicated IP for your domain. A dedicated IP costs a few bucks more per month, but if you need SSL, it’s required.
I hope that helps clarify it.
Thanks,
John