Our 2017 Internet Factbook found that 46% of Canadians would choose the internet over fast food for a year, which goes to show how much Canadians love being connected. But despite the convenience and entertainment that an internet connection can provide, the reality is that it's not all rainbows and cat memes. All too frequently we see cyberattacks and data leaks make the headlines and it feels like we're living in a Black Mirror episode. Canadians are (rightfully) concerned about handing over any personal data online.
If you run a website and collect any sensitive information through it—whether it's an email address, passwords, usernames, or credit card information—you have a responsibility to protect it. This is where SSL certificates come in. In this post, we'll go over what an SSL certificate is, why it's essential to get one, and how to get started.
This post was written with the help of our in-house expert on SSL certificates, Matt Larose, senior systems administrator at CIRA—read our Q&A with him to get his take on SSL and upcoming changes to Google Chrome.
What is an SSL certificate?
Even if you're not that familiar with what an SSL certificate is, you've probably noticed on your browser when a website has a green padlock icon and a “Secure” label in the top left corner. A Secure Sockets Layer (SSL) certificate authenticates the identity of a website and allows secure connections from a web server to a browser by encrypting information such as passwords. Websites with an SSL certificate get the added s, which stands for “secure” at the end of the “https” and are granted the green padlock on web browsers.
Why should you get an SSL certificate for your website?
Protect sensitive data
Without an SSL certificate, any data collected through your website is vulnerable to be intercepted by a nefarious third party, which is bad for your business and your website visitors. The 2017 Internet Factbook found that 44 per cent of Canadians are unlikely to continue making purchases from an online business if it suffers a cyber-attack. Once you lose your customers' trust, it's very difficult to gain it back. Getting an SSL certificate helps reduce the risk of any such cyber-attacks.
Essentially, an SSL certificate provides reasonable assurance to your users that they are connecting to your website, and not one that has been hijacked to look like your website.
It's now the standard
At the time of writing this post, Google Chrome currently displays a neutral information icon in the address bar if there is no SSL certificate. But be aware that in July 2018, the browser will start marking all of those insecure sites with an extra warning. Visitors will be put off by that ‘Not Secure” label and think twice before handing over any information on your website.
It's good for SEO
Google uses the presence of an SSL certificate as a search ranking factor and having one will give your website a ranking boost when people are performing online searches.
How do you get an SSL certificate?
To get an SSL certificate, you must contact a certificated authority (or “CA” – not to be confused with the .CA domain!). Typically, your Registrar or web builder of choice acts as your CA and can provide you with an SSL certificate to accompany your domain name. If your Registrar doesn't have this option, there are many other vendors you can choose from, such as letsencrypt.org, which offers free SSL certificates.
Types of SSL Certificates
It's important to note that there are several different types of SSL certificates, depending on the functions on your website.
Domain Validated (DV): Provides reasonable assurance that the services you're connecting to match the hostname you entered. This ensures that the purchaser of the certificate was in control of the relevant website at the time of issuance.
Organization Validated (OV): A higher level of validation, which validates that in addition to having control of the website at the time of issuance, that the organization exists in the public register and is a valid business concern.
Both DV and OV certificates have a “green” state.
Extended Validation Certificate (EV) (Organization Validated): Provides reasonable assurance that the services you're connecting to are provided by the legal entity controlling the service you expect. As you can see below, Shopify uses an EV cert. Which while showing green in the address bar, also displays the issuer's company name to provide an extra level of validation that the service can be trusted.
So … which one is right for my website?
For personal websites, a DV certificate should be suitable, for organizations providing marketing information an OV certificate is considered as a baseline. For data processing or e-commerce-focused sites, an EV certificate should be used. In all cases, each type of certificate is technically as secure as the last and prevent prying eyes from seeing your users' requests and only changes the amount of trust in the issuer.
So now that you know what an SSL certificate is and what it does, and learned some more acronyms to your tech know-how (there are never enough!), don't wait to get one for your website. This is one bandwagon you want to be sure to hop on!