You’ve likely heard that you need an SSL certificate for your website to increase security. But you’ve also likely heard if you use SSL (also known as Secure Sockets Layer) it will decrease your site speed.
So, which school of thought do you believe? What is SSL anyway? And where should it sit in your long list of digital marketing priorities?
The truth is that not only is SSL important for your web safety and security, it has also been confirmed by Google as an SEO ranking factor. Not to mention how it can improve your site performance and build trust and authority with your visitors.
Just to complicate things even further (don't worry we're going to explain everything super clearly), there is actually a successor to SSL called TLS or Transport Layer Security.
TLDR: Your website needs to use SSL.
In this no-nonsense guide we'll answer the questions of what SSL is and why it matters for your business security and so much more. Buckle up because I’m going deep into the world of Internet jargon and coming out the other side with a clear understanding of all things SSL.
HTTP vs HTTPS
Before we dive into SSL certificates and why they matter, there is something basic you need to understand. And that is the difference between HTTP and HTTPS.
First up, the basic definition of HTTP is Hypertext Transfer Protocol. HTTP is essentially the protocol that determines how data is transferred between the host server and the browser a user is viewing the website on. In the early days of websites, HTTP was the protocol that was commonly used.
As you may have guessed HTTPS is another type of Hypertext Transfer Protocol. The ‘S’ in HTTPS stands for Secure. Since 2014, when Google first indicated that HTTPS was a ranking factor in the algorithm, more and more websites have been making the shift from HTTP to the higher security HTTPS protocol, including Google itself.
But why is HTTPS better than HTTP? It comes down to security.
Image source: CloudFlare
When you connect to a standard HTTP site, the data that is transferred between the server and web browsers is not encrypted via a security key, i.e. it is unprotected and can be easily intercepted and read by hackers. Data doesn’t transfer in a direct line and will bounce around multiple servers before it reaches the destination (either your browser when you are loading a site, or the web server in the case of eCommerce when you are making a payment or inputting personal details). This creates multiple opportunities for the data to be intercepted and read.
In an ideal world, there would be no data thieves with malicious intentions waiting to steal data from unsuspecting website visitors. But there are. And that’s why HTTPS is now the standard security protocol to offer a level of validation and security to the data transfer to the server.
The big difference between HTTP and HTTPS is that the data transfer via HTTPS protocols is encrypted on a secure connection. As the data bounces around between servers on its journey from the host server to the browser and back, it is scrambled so it isn’t as easily intercepted and read as with a less secure HTTP transfer.
What is an SSL certificate?
SSL stands for Secure Sockets Layer. To complicate matters further, Secure Sockets Layer has a successor, Transport Layer Security (TSL). While SSL/TLS are often used interchangeably, SSL protocol is still widely used instead of the newer Transport Layer Security protocol.
At a very basic level - the difference between the HTTP and HTTPS protocols is the absence or presence of SSL/TLS certificates.
It is a small data file that encrypts the information that transmits between web browsers and the web server. Even if a hacker is able to intercept the data, they will not be able to read it because it is transferred via a secure encryption.
Image source: Wpbeginner
In the interests of ensuring that you have as much information as required to understand SSL and TLS comprehensively, we're going to throw a big piece of jargon in here - asymmetric cryptography. This is the way SSL and TLS encrypt and decode data. Asymmetric cryptography is also know as public key cryptography. It uses two keys - a private key and a public key to encrypt the data transmitted between the web browser client and server.
In the case of SSL and TLS, the public key is how the user encrypts and transmits their data to the server where the private key can decode it. Of course, for the average person, they would never know that they are transmitting their data via a public key to be decoded by a private key!
The SSL/TLS is hosted on the website server but may give users the confidence that they are dealing with a trusted and secure business.
Consider an eCommerce website where customers are purchasing goods or services. In order to make a purchase, they must provide sensitive information such as their name, address, phone number and payment information such as credit card number. If the site they are purchasing from is not secure - i.e. running HTTPS protocols - it will be very easy for their information to be stolen.
Think of SSL/TLS as like a padlock for a website. Once a user enters your site, the padlock locks the door behind them, creating a secure and encrypted connection between their browser and your server. That’s not to say other users can’t also enter your site at the same time, but as they do, they get their own padlock to secure their data.
The padlock analogy is quite familiar to website users. You have probably even noticed it yourself. When you visit a secure HTTPS with an SSL/TLS certificate, you will notice a little padlock icon in the browser address bar. This indicates a secure protocol is in place.
Image source: Omniconvert
Without SSL protocol, a website - and the data transmitted across it - is vulnerable. And it’s not just Google and tech nerds who know it. Consumers know what to look for and are becoming increasingly savvy about how to protect their data.
It then becomes an issue of trust. If a user doesn’t spot the familiar padlock in the browser address bar, or even worse, they get a notification advising them that your website isn’t secure, they will be hesitant to proceed with any purchase.
The specifics of how SSL/TLS works is far more complex than this explanation. But for the purposes of understanding the questions of what is SSL and how it impacts your website and security, knowing that it keeps your website and user data safe through a secure encryption key process is enough.
The importance of SSL/TLS certificates in your SEO rankings
When Google says that something is a ranking factor in the algorithm, you better be sure that we sit up and listen. And so should you.
Having SSL/TLS on your website is never going to replace a solid SEO strategy. It’s not a secret hack that will bring you instant traffic overnight. Any SEO guide will tell you that isn’t possible. But what it will do is help with the overall picture of your search engine rankings.
It is one piece of a much bigger puzzle in building your organic web traffic.
So how does SSL protocol actually impact your SEO rankings? There are a number of ways - some direct and some indirect.
The first is that it gives you an edge, if you like, over the competition. If two websites were on equal footing when it comes to SEO. They have both developed a solid, keyword-driven SEO strategy. They have optimized their page load speed and are actively implementing a backlinking strategy. If they had an equal ranking in the algorithm, but one had SSL/TLS enabled while the other did not, the SSL encrypted page would ultimately rank higher.
In other words, SSL/TLS can act as a tiebreaker between you and another page in the search rankings.
Remember that in determining the search engine rankings, Google is looking at a huge range of factors. They are looking at both on page - content, code, schema markup, internal and external links, page speed and mobile-friendliness - as well as off page - such as backlinks and social signals. But they are also looking at what users are doing while they are on your site.
If you have a high bounce rate, low time on site or low number of pages viewed, this will all impact poorly on your search engine rankings.
If more people can see your site because your SSL/TLS helps you appear marginally higher in the rankings then you have a better chance of capturing more traffic.
Also, if searchers can see that your site is secure they will be more likely to click through and spend time browsing or purchasing than they may on a non-secure site.
Image source: HostPapa
SSL/TLS on your site can have a flow-on effect to your search engine rankings. Not only are you enhancing your SEO but you are also sending the right signals to your users to build trust with them.
It’s a win/win.
In the end, it is all benefiting your website performance. The higher your rankings impacts on the traffic that comes to your website. The more traffic that comes to your site, the more awareness, engagement and, hopefully, conversions you will have for your business.
Obviously, you need a website that is optimized for SEO and user experience to make all that happen, but if you don’t have SSL/TLS certificates, you are likely missing a crucial piece in the puzzle.
How SSL improves your page load speed
Before I move on I also want to address the myth that SSL/TLS has a negative impact on page load speed and so should be avoided. According to Pingdom, SSL certificates can actually improve page load speed.
One of the key reasons for this is because SSL works with HTTP/2, which is focused on improving site performance… resulting in faster page load times. If this is the thing that’s been preventing you from switching to HTTPS, know that when done properly, SSL is your friend in so many different ways.
Types of SSL certificates
Hold tight because I’m about to get a bit more detailed about what an SSL certificate is and the type of SSL certificates available.
At OMG, jargon isn’t really our thing but it’s important that you know the detail. It will be painless - I promise!
Essentially SSL certificates fall into three broad categories, each with its own classifications. The category and classification determine a number of things such as the type of encryption key used by the SSL/TLS, how expensive the SSL certificate is to obtain and how quickly it is issued.
Some industries or website types require a specific type of SSL certificate due to the level of encryption. For example, the type of SSL certificate required for a company in the heavily regulated banking industry is much more rigorous than the type of SSL certificate required for a simple blog.
Image source: AboutSSL
Extended Validation (EV)
Extended Validation (EV) are the most comprehensive - and expensive - type of SSL certificate.
In order to obtain an EV SSL certificate, you must prove ownership of the domain you are submitting. It can take 3-5 days for this to happen so it’s not a quick solution. But once you have the certificate, when a user lands on your website the certificate will show the padlock and HTTPS as well as your company name and the business’ country of origin.
If your website is an eCommerce site that processes credit card payments or you collect a lot of personal information and data from users, an EV SSL certificate is the way to go. Not only does the extra information attached to the SSL certificate help with building trust with customers but EV SSL also offers a higher level of encryption - 2048-bit to be precise - which offers an added level of security.
Organization Validation (OV)
A more cost-effective alternative to EV SSL is Organization Validation (OV). It is usually issued within about 24 hours so it is also faster to obtain than EV SSL.
In terms of the level of encryption with an OV SSL, you have a choice between 128-, 2560 or 2048-bit encryption. Generally, OV certificates offer a medium level of encryption.
OV can be suitable for eCommerce and sites that collect sensitive information and credit card data… but it doesn’t have the same trust signals as EV SSL. By that we mean, while an EV SSL will show your business name and country alongside the SSL padlock, an OV SSL certificate will only show the padlock and your business name.
One thing I didn’t mention about EV certificates is that the browser address bar will also turn green to indicate that yours is a trustworthy site. This does not happen with any other type of SSL, including OV.
Domain Validation (DV)
The final category of SSL certificates is Domain Validation (DV). It is the cheapest and fastest type of SSL certificate to obtain, but it also offers the lowest level of encryption. In the browser address bar, a simple green padlock will appear to indicate your site uses a DV SSL certificate.
I would usually only recommend this type of SSL certificate for testing sites or non-eCommerce websites.
A DV SSL certificate is so easy to obtain because you don’t need to prove ownership of the site you are submitting and nor is any data vetted. For this reason, many phishing and scamming sites now obtain cheap DV SSL certificates in an attempt to appear legitimate.
It’s likely that as internet users start to wise up to this, they will be looking for the more trustworthy SSL indications that EV and OV SSL certificates offer.
There is some other SSL/TLS certificate terminology that you might come across in your travels.
The first is Wildcard SSL certificates. All this means is that if you purchase a Wildcard SSL certificate for a domain, the same certificate can also be used for subdomains under that domain.
Another term is Unified Communications (UCC) SSL certificates, which are otherwise known as multi-domain SSL certificates. These types of certificates can cover up to 100 domain names so are ideal for businesses that operate multiple trading names or domains. If you have more than one domain name, they can all sit under a single SSL certificate to make it easier to manage.
Finally, and perhaps most self-explanatory of the terms, is the Single Domain SSL certificate. As you can probably guess from the name, this type of SSL certificate will only protect one domain. Even if there are subdomains attached to the domain name, they will not be protected.
How can I get an SSL certificate for my website?
Now that you understand what an SSL/TSL certificate is and why you need one, let’s get into the nitty-gritty of how to get an SSL certificate for your site.
Firstly, you need to determine which type of certificate you require. Depending on your industry, this may be regulated so be sure to check before you start the process. You should also look at your structure and whether you require SSL certificates for multiple domains or subdomains. Consider the type of data you collect and the level of trust you want to develop with your customers.
One option is to then purchase the SSL/TSL certificate from your web host. The benefit of this is that they will be able to install it on your server with minimal fuss. If that isn’t an option, it will have to be manually installed either in house or by a third party.
This manual process involves:
Generate a digital Certificate Signing Request (CSR) on your server
Submit your CSR to a Certificate Authority (CA) who will verify and validate your request
Once validated the certificate authorities will send you the SSL/TLS which needs to be installed on your web server.
Once the certificate has been installed on your web server, you should check that it has been installed correctly. Also make sure you are aware of the expiry date of the SSL/TLS certificate so your site security doesn’t inadvertently lapse.
Image source: SiteLock
How can I tell if my website has SSL?
Now onto how you can check if your site's SSL is installed correctly.
For any website, there are two simple ways to tell if it has an SSL/TLS certificate installed:
The URL starts with https:// (instead of http://)
A padlock icon appears in the browser address bar
However, even if a padlock appears, the SSL certificate may have expired. If you are using a Chrome browser, you can click on the padlock to see more information about the SSL/TLS certificate for your site. You will be able to see information about who issued the certificate, the type of encryption key used and the dates the certificate is valid from and to. For EV SSL, you will also be able to view additional information that identifies your organization.
Don’t leave your website security to chance
There’s a lot at stake here. Not only can your search engine rankings take a hit because of your lack of SSL/TLS certificates, but so can the hard-earned trust you have with your customers.
You don’t want your website to be at the center of a data breach that impacts your users.
If you want to be sure that you are on the right track with your SSL certificate and optimizing your digital marketing strategy to get stellar results, contact us for a free audit worth $2k. We’ll look at your website, SEO, SEM, social media and email marketing to uncover the gaps and opportunities for your business.
We are the team you need on your side for evidence-based, data-driven digital marketing solutions. We can help you navigate the entire digital realm from ensuring your SSL/TLS certificate is set up properly to integrating your digital campaigns across multiple platforms.
From there we’ll create a six-month roadmap, the exact plan we will use to get your digital marketing firing on all cylinders.