We’re getting our tech on and discussing why you might need SSL security on your blog! Website security is a particularly hot button issue at the moment with several high profile security breaches which have led to usernames, passwords, credit card information, and even social security numbers being plastered all over the web.
What is SSL?
You know the little green padlock on the address bar of your search engine? That is the evidence of SSL on a website. It’s also the reason why the beginning of your web address might read https:// rather than http://. In more technical terms, SSL means “Secure Sockets Layer”, and it is a technology that encrypts communications to and from your website.
Why might you need SSL on your website?
When a SSL certificate is installed on a website, it provides encryption of sensitive data and communicates that your site is trustworthy to visitors. SSL protects your website from a number of different kinds of possible security risks (including many types of hacks). It also verifies that your website is legitimate and not “phishing” or a fake mirror website designed to confuse or scam visitors.
While an SSL security certificate is essential for some types of websites, not all websites require one. So how do you know if your website needs one?
Since 2014, Google has been providing a small rankings boost to sites using SSL. Earlier this year, Google expressed much more strongly their preference for SSL encryption as a way of improving web safety and because additional features being launched by Google will require at least SSL security – this includes additional location tracking and usage pattern tracking applications. It has been forecast that Google’s Chrome browser (which has over 50% market share) will soon indicate sites that are not employing SSL by indicating with a Red padlock or a “site unsecure” banner. Look for similar moves from other web browsers.
The key questions for determining if you need SSL security on your website are these:
- What is the purpose of your site?
- What do you sell?
- What information are you collecting?
Your answers will help you make an informed decision about the need to install SSL security on your website.
For the first two questions above, it really boils down to asking one even more straightforward question: Are you selling products and taking credit card payments directly on your website?
If the answer is Yes, then you almost definitely need SSL security to encrypt the credit card information of your customers. There are some important exceptions and distinctions to make here. You may not need to install site wide SSL. By not “site wide,” I mean that you might install SSL security on ecommerce pages, including store, basket and checkout pages but not on the rest of your website. Traditionally, this has been less expensive, but may require just as much work at the outset as a site wide install.
There are some security commentators who suggest that if you are using a third party processor (like Paypal, Square, or Stripe) to accept payments then you don’t need SSL since you are not being paid by customers directly. This is true if all sensitive information (including credit card details) are collected and stored only by the third party payment processor.
What this looks like: a customer goes to the checkout page on your website to purchase the items they have selected. To pay, you send them to a 3rd party site, like Paypal, to fill out their payment information (including credit card details). Paypal charges the customer through their bank and sends the money to you. At no time does your website collector store sensitive information.
But, if you collect the payment details (like credit cards) on your website and then send them to the processor, or collect the information to process using an independent Point of Sale (POS) system or charge it manually through a merchant account, then your customers are going to be looking for that green padlock and the https:// prefix, and you will need an SSL security certificate to ensure that the credit card date is secured during transmission.
What this looks like: a customer goes to the checkout out page on your website to purchase the items they have selected. To pay, they go to a page on your domain and provide their payment information (including credit card details). After their transaction is completed their information is stored on your website, and you then send their payment information for processing to a payment processor. This could include Paypal, or Square, or Stripe.
The bottom line is that without appropriate security measures, if you are acting as an online merchant (operating an e-commerce website), you have a legal responsibility to ensure the information you collect from your customers is secure. SSL security can protect credit card information and other identifying information from being intercepted and misused.
Even if you do not have an e-commerce website, do you collect sensitive information on your website, including through forms?
If your website collects personal information through a form where the information is stored on your website servers and not on a secure third-party website (like an embedded form from a CRM), you might consider SSL security to keep that information secure from hacking or interception. If you don’t have SSL, any data submitted by website visitors through forms will be transmitted as plain text making it vulnerable to hacking and interception. For any information that falls into the realm of HIPAA, speaking with a specialist cyber security professional is highly recommended.
Do you have a membership site? Or a Login page for some users?
Whether you have a paid membership site or simply allow for visitors to create an account to login, you should consider installing a SSL security certificate on the login page. Without SSL security, any usernames, email addresses, names, and passwords are transmitted as plain text. The lack of encryption means that they can be intercepted by a hacker at any point between their computer and the server on which your website is located. If you provide the functionality that allows for the creation of an account and the storing of passwords and other information, you arguably also carry responsibility for protecting that information. While you might not feel like the hacking of your modest website poses a real risk, consider the broader systemic concern that many internet users reuse the same username, email and password combination for many websites; obtaining the information from your website might ultimately compromise the identity of the website user elsewhere online.
It should be noted that there are other possible options for creating a secure login form if you don’t want to use a SSL security certificate. These other options include OpenID, Facebook or Twitter Connect, DISQUS, or another technology that facilitates users authenticating and logging in on another site before returning to your website. This is similar to using a 3rd party payment processor and not storing any information on your own website server.
Is a shared SSL certificate sufficient?
Some hosting providers, including perhaps your own, include use of “shared SSL certificate” as part of their hosting packages. This can be a good option, if it doesn’t trigger errors on your website, and can protect login pages and forms. The disadvantages are that it is unlikely to indicate that your specific domain is secure, and may display a warning (depending on the browser). For securing credit card details, a dedicated SSL certificate is recommended.
When don’t you need SSL?
To clarify, not every website needs SSL security. For a blog with no e-commerce, no membership section, or anything except an embedded contact form and the blog posts themselves, SSL is way above and beyond anything that is necessary. Arguably, any SEO benefit conferred by Google for a website that has SSL installed is unlikely to be of any significance – and certainly not enough to justify the cost and maintenance.
We covered the 3 main reasons why websites need SSL.
- An E-commerce website that collects credit card information independent of a 3rd party processor.
- You are using forms that collect sensitive customer information.
- Your website – whether membership or portal based – requires some users to login using a user name and password.
We also talked about how you likely do not need an SSL security certificate if your website is not e-commerce based, or contains only information on products and services, and does not require your customers to login, or collect personal sensitive information.