Have you ever noticed that some URLs start with "http://" while others start with "https://"? Perhaps you noticed that extra "s" when you were browsing websites that require giving over sensitive information, like when you were paying bills online.
But where'd that extra "s" come from, and what does it mean?
To put it simply, the extra "s" means your connection to that website is secure and encrypted any data you enter is safely shared with that website. The technology that powers that little "s" is called SSL, which stands for Secure Sockets Layer.
In this post, I'm going to break down what SSL is, an updated version of Google Chrome that will soon flag websites which are not secure, and how you can evaluate and get SSL.
What is SSL?
First, let's start with a definition from SSL.com:
SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remain private."
Let's break that down.
When you land on a website page that has a form, after that form is filled-in and you hit 'submit', the information you just entered can be intercepted by a hacker on an unsecure website.
This information could be anything from details on a bank transaction, to high-level information you enter to register for an offer. In hacker lingo, this "interception" is often referred to as a "man-in-the-middle attack." The actual attack can happen in a number of ways, but one of the most common is this: A hacker places a small, undetected listening program on the server hosting a website. That program waits in the background until a visitor starts typing information on the website, and it will activate to start capturing the information and then send it back to the hacker. Scary stuff that is no longer just is sci-fi movies.
But when you visit a website that's encrypted with SSL, your browser will form a connection with the webserver, look at the SSL certificate, and then bind together your browser and the server. This binding connection is secure so that no one besides you and the website you're submitting the information to can see or access what you type into your browser.
This connection happens instantly, and in fact many suggest is now faster than connecting to an unsecure website. You simply have to visit a website with SSL, and voila: Your connection will automatically be secured.
Everything You Need to Know About Chrome 62 and SSL
Google is getting ready to release a new version of their popular Chrome browser, version 62, which will begin to indicate that a page is not secure if it contains a form, but does not have SSL-enabled. Chrome has approximately 47% browser market share, so when this update is rolled-out a significant number of websites will be affected almost immediately.
According to recent HubSpot Research, up to 85% of people will not continue browsing if a site is not secure. In January 2017, Google rolled out a similar update that only applied to sites collecting sensitive information such as passwords or credit card numbers. With that in mind, users are now familiar with seeing this "not secure" warning, and per the research below will often leave a site because of it.
If you utilize incognito mode in your browser, Chrome will always indicate a page is not secure if it does not have a valid-SSL certificate installed. If you use Chrome outside of incognito mode then this "not secure" warning will only display when starting to enter information into a form.
This means that wherever you host content that contains a form, even if it's just asking for an email address, you should enable SSL. Keep in mind that if you have content hosted in different platforms, it will be important to talk to each of them and ensure SSL is setup before this Google Chrome update is live. In reality, if it's not cost prohibitive for you, it's best to enable SSL across your entire website regardless if a form exists on the page because it can have SEO benefits that we'll cover in the next section.
Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal."
In addition, Google has publicly stated that two websites which are otherwise equal in search results, if one has SSL enabled it may receive a slightly rank boost to outweigh the other. As a result, there is a clear SEO benefit to enabling-SSL on your website, and across all your content.
How can I tell if my website has SSL?
When you visit a website with SSL, there are a few distinct differences that display within the browser.
2) You'll see a little padlock icon in the URL bar.
It'll show up either on the left- or right-hand side of the URL bar, depending on your browser. You can click on the padlock to read more information about the website and the company that provided the certificate.
3) The certificate is valid.
Even if a website has the "https://" and a padlock, the certificate could still be expired -- meaning your connection wouldn't be secure. In most cases, a site that displays as https will be secure, but if you encounter a site that asks for a lot of personal information it may be worth double-checking to be sure the certificate is valid.
To find out whether the certificate is valid in Chrome, go to view > Developer Tools. From there you will need to navigate to the security tab and you can see if the SSL certificate is valid, or expired. If you click the "View certificate" button you will be able to see more information about the SSL certificate and the specific date it's valid through.
How can I get an SSL certificate for my website?
The first step is to determine what type of certificate you need. For example, if host content in multiple platforms (on separate domains/subdomains) it may mean that you need different SSL certificates.
For most, a standard SSL certificate will cover your content, but for companies in a regulated industry -- such as finance, and insurance -- it may be worth talking with I.T. because there are specific requirements within your industry that specify the type of SSL certificate you need.
The cost of SSL certificates vary, but you can get a free certificate or pay a few hundred dollars per month to obtain a custom certificate. On the free side -- Let's Encrypt offers certificates at no cost but I would strongly recommend that you have someone knowledgable about the DNS and technical setup of your website to help with this. These certificates will also expire every 90-days, so you'll need to make sure they stay up to date.
Many other domain providers will sell SSL certificates that generally range from $50 to obtain a certificate for one domain, up to a few hundred dollars for multiple-domains. This process will be easier than using Let's Encrypt, but does have a cost associated with the certificate.
(HubSpot customers:If you're hosting content on HubSpot, SSL is available for free within this promotion. To find out more, contact your Customer Success Manager, orvisit our SSL page.)
One of the other key considerations is the validity period of a certification. Most standard SSL certificates that you purchase are available for one to two years by default, but if you're looking for longer-term options, then look into more advanced certificates that offer longer time periods.
WordPress Plugins To Help Install SSL
If you utilize WordPress to host your content and website, depending on your domain provider, you may need to obtain an SSL certificate and then install it. Here are a few plugins that can help you:
Really Simple SSL. Purchasing your SSL certificate is just the first step. This plugin helps you install it across your all your Wordpress content. There are premium versions available to help you install it across sites, and verify there are no warnings on your website. Premium versions run from $20 up to $145 for a full-service configuration and optimization of SSL.
Insecure Content Fixer. Once you have an SSL certificate and it's installed, your not quite done yet. If your website is built with any hard-coded references to "http", such as an image file, then it will show a warning when trying to load that securely. This plugin can help you find and fix anything coded that way so your site displays properly, and securely for visitors.
WP Force SSL. Ok, now that you're done obtaining SSL, installing it, and fixing any errors, it's time to make sure all your traffic sees the secure version of your site. This plugin will force all traffic to HTTPS so it only loads securely. I strongly recommend that you check for insecure content (also known as mixed content) before enabling this. Without checking for mixed content first your site may appear with warnings because of those insecure files.
(HubSpot customers:All files hosted within HubSpot File Manager are automatically encrypted with SSL, and in one-checkbox you can force all visitors to utilize the secure version of your site, no plugins required. To find out more, contact your Customer Success Manager, orvisit our SSL page.)
Originally published Oct 18, 2017 8:00:00 AM, updated April 20 2020