While 2017 was a world ago now, we’ve had plenty of questions around the need for SSL certificates. October of that year was a huge month when it comes to advances in website security and Google is leading the charge. With the update to the Google Chrome browser all websites without an SSL certificate started to display a warning in the address bar informing all visitors that the site they are on is “Not Secure”. This was part of Google’s overall plan to improve and strengthen everybody’s online security.
This article will go through the business case behind utilising and even, if you are a developer, including SSL certificates on all websites.
Firstly we need to consider what an SSL certificate is and what it actually provides a website. Global Sign, a major company which deals with internet security and SSL certificates define them as “small data files that digitally bind a cryptographic key to an organisations details.” Basically SSL, or a Secure Sockets Layer, encodes a website and it’s data to help secure it against attacks and against compromising client information.
Historically this tactic was used to secure credit card transactions, data transfers and login information but has recently become the norm for securing general browsing.
It is also worth noting that this point that there are different levels, or grades, of SSL certificates. The most common is the lowest form SSL cert or the Domain SSL. This is where a certified authority checks the right of an applicant to use a specific domain name/URL. While this doesn’t perform any business checks it still meets the criteria of Google and anti virus software, as well as providing peace of mind to the consumer. While this level of SSL certification is enough for the majority of websites, and our clients, I believe that for larger organisations this should be a conversation at the sales level. I believe should be able to offer, in the proposal builder, a subscription for Organisation Validation or (OV SSL) and Extended Validation (EV SSL) certificates. The difference here being OV certs check the domain, plus organisational information, vetting the company. EV certifications go the next step checking and verifying the legal, physical and operational existence of an entity, this is also the level of authentication required and the SSL required to display a company name next to the URL in a browser. Such as:
I’ve always believed that each business is unique. Bringing this view to Mars Digital means we take the time to understand you and your business before going away, doing the research and coming back to you with our thought out recommendations and the reasoning behind them.
For me, it’s all about building a mutually beneficial partnership.
Without using SSL encryption it leaves a website vulnerable to attack. Without SSL attackers and spyware are able to steal a website user’s information. Not necessarily hack and alter a website but gain access to an active exchange of information between a computer/user and the website’s server.
While no major information such as credit card details are being transmitted on lead generation style websites, they are often used to collect personal information such as their potential customers names, email addresses, physical addresses and more. Without SSL this leaves your site vulnerable to attack and potentially being the reason a customer’s information was stolen.
Is there a downside to having an SSL certificate?
Yes, technically an SSL certificate can slow down a website’s performance. However this effect is negligible. An SSL file should be extremely small and data transfer should be near instantaneous. Granted when a user visits a website they first ask the server for the SSL, the certificate then verifies the site and makes sure it is legitimate and then provides the user access. So while this does slow down the response time of a website, we are talking ms.
This study shows that an in depth SSL certificate with a verification chain took a total of 800ms, considering that this is at the extreme end of what is required or the effect of an SSL it shows the downside is almost non-existent. You can read more about that here: https://insouciant.org/tech/ssl-performance-case-study/
While I cannot deny there is an effect to page load speeds when SSL is active, it is my opinion that the negative impact of having an SSL certificate is minor, but the benefits of having it are of a much greater importance.
So what is the benefit?
The most immediate benefit any client will see to having an SSL is that they gain trust with their viewers. A lot of internet users are weary of data theft and are aware of the https:// or secure protocol and expect to see this on genuine websites.
Therefore a user or potential lead is more likely to trust that the client is genuine and a real business is they see evidence of an SSL certificate.
On top of this Google is now giving priority to SSL certified websites, boosting the website’s performance is organic rankings. This also refers to ecommerce sites that have an SSL on the entire website and not just certain pages. While this boost isn’t drastic, it adds to the effect users have when seeing the insecure icon.
Expanding on this Google plans to punish websites without SSL certifications further. Eventually, all HTTP pages will be labeled non-secure, and the HTTP security indicator shown above will change to the red triangle/exclamation mark that Google uses for broken HTTPS. This will drastically affect the trust any user puts into a website.
Other than Google, many popular anti virus companies such as Norton / Symantec are now actively discouraging users from visiting websites that are not secured using SSL.
With SSL becoming more common and users becoming used to HTTPS as opposed to HTTP the number of instances where individuals manually type HTTPS before a URL is increasing, giving a rise in occurrence of the above error.
Beyond all this there is plenty of additional information that can be found on Google pretty easily. Especially by those who are somewhat security conscious with their website. For example an article on the LinkedIn website goes into detail about additional benefits provided to websites with SSL certifications that I have not mentioned in this document. https://www.linkedin.com/pulse/importance-advantages-ssl-certificates-jay-jones
On top of this the domain name giant Go Daddy explains the 5 key selling points of having an SSL certificate which Zeald would be able to incorporate into the general sales conversation. Stating that our websites come with an SSL certificate and studies have shown it leads to:
Why should you, as a developer, implement SSLs on all sites?
From the emotional point of view: if you see yourself or your company is seen as a leader in the industry by a lot of people it would be somewhat expected that you are able to tackle a change in industry standards. If you make SSL certifications a part of every website sold it not only gives your clients confidence in their choice of provider but can be used as a sales tool. It adds credibility in the market place, showing that you are able to adapt and are in front of any changes Google may impose.
The downside of not implementing a SSL strategy but continuing to leverage the fact you a Google Premier Partner or Google Partner is that when the change comes into play and all HTTP sites are punished, clients both existing and prospective are going to ask why didn’t you make some sort of change, especially considering you’re supposed to be the experts.
Coming purely from a numbers point of view: the basic SSL certificate is currently sold by Go Daddy costs $74.99 per annum which equates to less than 21c per day or $6.25 per month. This cost could easily be offset by the additional revenue gained by creating the market perception of being a proactive leader in the industry and consequently closing more sales due to this.
Ultimately it is my opinion that including SSL certifications for all websites is a future proofing exercise and honestly there is no excuse for not including a free SSL with every website you build and host.
Providing a client an SSL certificate at the sales stage as part of all website packages builds trust between the developer and the client as well as giving them additional value alongside the website build, potentially even giving us a competitive advantage over other web developers. Including an SSL in all builds can reduce the pain points for a client, even if they are paying extra for this.
After the sales process and once a build is completed the SSL certificate then provides the client a strong platform for building trust with their customers/clients and future proofs them against the upcoming changes that will be made by Google around this particular security measure. Not only would we be providing the client a high level of security but the benefits Google provides will help them achieve more sales and more revenue.