The list of reasons for an ecommerce site to have an SSL certificate is concise: because it’s an ecommerce site. Over in one. Given that there is a significant downside that goes along with SSL certificates, owners of websites that aren’t in the business of requiring financial or payment information may not be entirely motivated to encrypt all communications between their server and users’ browsers, but in the next six months it’s going to become more important than ever to have a secure website. Here’s what you need to know about SSL, how it works, navigating the downside, and three big reasons even non-ecommerce websites need encryption.
With a standard website – one using HTTP – connections are established between browser and server using the TPS handshake, which is when the browser requests the connection from the server, the server sends an acknowledgment of the request, and the browser sends back an acknowledgment of the acknowledgment. This is a simple process, and as a result data transmitted between a browser and server is susceptible to man in the middle attacks, which is when an attacker situates him or her self between the browser and server, and eavesdrops on communications.
Secure sites use HTTPS instead of HTTP, and to qualify as HTTPS a site requires the use of SSL. SSL stands for secure sockets layer, a cryptographic protocol used to secure the communications between an internet user’s browser and a website’s server. It does so by securing the connection between browser and user with a more complex version of the TPS handshake. The SSL handshake uses the TPS handshake steps and adds in three more in order to choose a method of encryption, verify it, and then generate encryption and decryption keys. As a result, any would-be men in the middle will see nothing but unintelligible garble being exchanged.
In order to use SSL for encryption, a website needs an SSL certificate. SSL certificates contain an encryption key that is then placed on the website’s server and used for establishing connections. There are a number of different types of SSL certificates available, and the right one for each site depends on how many domains and subdomains need to be secured. SSL certificates are typically best purchased through a website’s hosting provider.
The slowed down downside
There’s a reason all websites don’t just give their users the added security of SSL. The SSL handshake is more involved than the TPS handshake, and it therefore takes longer, requiring three extra round trips to establish a connection. This translates to slower page load times, which translates to user frustration. According to a Kissmetrics survey, 25% of internet users will abandon a website for taking just four seconds to load, with page abandonment steadily climbing as page load time slows.
This decrease in website performance is by no means a fatal flaw, however. A secure website’s performance – as well as any website’s performance – can be easily improved with the use of a content delivery network, or CDN.
Why non-ecommerce sites needs SSL too
Ecommerce sites need to protect the information being exchanged between browsers and servers for obvious reasons, but even non-ecommerce sites need to get into the encryption game. Here’s why:
Because personal data is just as lucrative as financial information
If not more so. While credit card companies and other financial institutions have taken major steps to combat fraud, thereby negating the value of financial and payment card information on the black market, other personal information like home addresses, social security numbers, healthcare information and email addresses and passwords still goes for big money on the dark web, making it an enticing grab for hackers, and an easy grab without encryption.
Because your search engine rankings will get a boost
Google prefers websites that are certified trustworthy, and since 2014 Google has been rewarding websites using secure communications with a boost in search engine rankings. This boost can be made even more significant with the use of a CDN which, as mentioned, increases page load time.
Because Google will bust your site for not being secure
Starting October 2017, any HTTP site that can have any data input – including in search fields – will be labeled Not Secure in Google’s Chrome browser. Further, in the Incognito mode of Chrome, all websites using HTTP instead of HTTPS will be labeled Not Secure. Given that according to the US government’s Digital Analytics Program, Chrome currently owns 44.5% of the internet browsing market, the reputation hit associated with this warning could be significant.
Equal opportunity encryption
With so many hackers sniffing around for valuable information and Google putting such an emphasis on secure communications, life on the internet has gotten more complex for website owners. However, life on the internet has also gotten more complex for internet users who need to be able to trust that their data is safe. Using SSL goes a long way towards protecting a website’s users, and it’s only going to become more necessary for sites of all types, not just ecommerce.