Security is one of the biggest trends in technology these days. Whether it’s WhatsApp encryption or governments wanting access to encrypted devices, there’s a lot of talk about security and the importance of encryption. But one of the biggest pieces of technology being talked about in the security debate has been around for many years – Public Key Encryption. Specifically, SSL, or Securit Sockets Layer.
What is SSL?
SSL is the backbone of our secure Internet. It protects your sensitive information as it travels across the world’s computer networks. SSL is essential for protecting your website, even if it doesn’t handle sensitive information such as credit card data. It provides privacy, critical security and data integrity for both your websites and your users’ personal information.
We use SSL certificates on our website. You can tell when a site uses SSL because the address bar looks something like this.
Our address uses https:// at the start, instead of http://. The “s” means that the connection is protected using an SSL certificate or encryption. The green padlock shows us that your browser recognises the certificate as a valid, authenticated, trusted certificate. You usually get these when the certificate has been validated by an external organisation.
The certificate effectively says “Hey, this website is using a secure connection. I am the server for cocode.co.uk and I want to communicate securely with you. This certificate has been signed by another company so you know you can trust us. Here are the details.” Your browser will look at the information and say “Oh, hey! I know this company! I trust them, so sure, we can talk securely!” Once that happens, everything between you and our server is encrypted, so most people snooping on our connection would not be able to see what’s going on. It would be like listening to people speaking in Klingon.
With the disclosures over recent years of governmental organisations and spy agencies being able to view your traffic, as well as leaks of personal information, people are understandably nervous about their security. Services such as Google will use SSL certificates on their sites throughout and have higher rates of encryption for services such as Gmail, but smaller sites are getting into the SSL game too. Again, we use SSL on our sites, especially since we collect some personal information via our contact forms. This is sent to us over a secure connection and emailed to our machines, where we can view the data in a format we understand. Information on our servers is also encrypted to avoid any issues with hacks and data theft.
Why do we need them?
That becomes the most important question to ask – if we aren’t collecting credit card information, why do we need an SSL certificate in the first place?
Well, you have brought up a good point – “if we aren’t collecting credit card information.” If you are collecting any kind of credit card information, you need SSL installed on your site. It’s part of the compliance standards for the Payment Card Industry (PCI). But what if you’re not? What if you’re not even collecting feedback from visitors?
Many of the arguments about having SSL focus on whether you collect information of any kind, but there are some wider issues too, especially where you might not think.
Google keeps its SEO algorithms private, but it stated in 2014 that websites with valid SSL certificates are given a minor advantage over sites without, so if you have an SSL certificate on your site then you might be given a couple of extra brownie points for ensuring your site is secure. Google even called for HTTPS to be implemented everywhere. Chrome, Firefox and other browsers are starting to warn users about sites that are not secure and visual cues to this effect could impact the people that visit your site. Whilst it may not seem like much, one could make the case that the more ubiquitous SSL gets the more likely non-SSL sites will be seen as just scam sites.
A search for SSL certificates brings up a number of companies, with some providers selling certificates for anywhere from £10 per year to £1000s per year, and for a new website these costs can add up. But with the fees these companies charge for certificates, how can such small sites ensure their sites are secure?
Free SSL certificates that aren’t a scam
Some companies may offer free SSL certificates but they might not be as trustworthy as others. SSL is based on trust and authentication, so you will want to use a provider that you can trust. Thankfully, there are at least two providers that are incredibly trustworthy and easy to install certificates from, even if you don’t understand all the technical jargon (although we do recommend having someone at least look at it). We use these providers as standard across all of our sites.
CloudFlare is a US-based company that provides a number of online services, including content delivery networks, internet security services and domain name services. They don’t sell domains, but they will allow you to route your web traffic through their servers to ensure the connection is secure and your website is protected. They are based in California and have offices across the world, including London, Singapore, Austin, Boston and Washington. They use a very clever system to encrypt your data and hide your company’s web servers behind theirs, acting as a firewall. In fact, back in February 2014, Cloudflare helped to mitigate the largest ever recorded DDoS attack at the time. In November that same year, there was an even bigger attack which Cloudflare helped to calm.
Long story short, they know their stuff.
Not only that, but their offices in San Francisco, California use a unique and very cool method to generate their security keys – lava lamps.
Their basic services are free of charge and include an SSL certificate verified against your domain. Setting up your domain is fairly easy, and there are guides on their website that will show you how to do this. SSL is then added at the domain level, which validates that your domain is yours. Since you would have the ability to change your server settings, Cloudflare would assume this to mean you have some semblance of ownership over the domain.
LetsEncrypt is another free service and is brought to you by the Internet Security Research Group. They are a non-profit certificate authority, validating SSL certificates on behalf of companies. Members of the group include people from the American Civil Liberties Union, Mozilla, Cisco, Google and the Electronic Frontier Foundation. A number of other large companies also support the organisation. They require something to be installed on the server to issue and renew certificates, although some sites will provide services that don’t require this. Check with your hosting provider if they support certificates from LetsEncrypt.
We use both
When we create any website, we try to use both Cloudflare and LetsEncrypt. We have deployed them across all of our websites and we use them even in our testing sites. Whilst these sites won’t leak much information, we feel that using SSL throughout all of our sites is a measure we are more than happy to adopt. Our web host supports LetsEncrypt on the server so requesting a certificate takes seconds, and we use Cloudflare’s network to add additional protection to our site. Setting these up is very easy and certificates are renewed automatically. You receive email notifications in advance of whenever a certificate is about to be renewed so you are always aware of any issues beforehand.
There’s a lot of information on SSL certificates and the importance of them online, but we recommend checking out this YouTube video by TechQuickie, or you can check out the more technical explanations on Computerphile – Public Key Cryptography, Man in the Middle Attacks & Superfish, and End to End Encryption (E2EE) are videos I recommend.
We include setting up SSL certificates for all of our clients as standard. If you want to learn more about what we provide, drop us a line by filling in our contact form and we will get back to you.