The A-to-Z Guide to Secure Sockets Layer (SSL) for Online Businesses

Article written by:
  • Hosting Guides
  • Sep 06, 2018

To build a relationship requires trust and this is much more intense for one in which the two sides most likely have and will never meet. Trust on the Internet is one of paramount importance, especially if that relationship is transactional; where money is involved. Even deeper than that is the fact that Data is the new gold, so almost everything we do on the net needs to be secure.

To build that relationship of trust is not easy, but there has been increasing pressure on website owners to create an environment that allows their users to feel secure. SSL certificates are one key means of doing this, since they assure users that the connection they have to that website is safe.

For the end user, all they need to verify this is a simple icon shown on their browser. For website owners, it’s a little more complicated, but doesn’t have to be.

Table of Content

 


 

FTC Disclosure

WHSR receive referral fees from companies mentioned in this page. Our opinions are based on real experience and actual server data. Please read our review policy page to understand how our host review and rating system works.

 


 

 

What is Secure Sockets Layer (SSL)?

SSL is a security protocol that assures users that the connection between their computer and the site they are visiting is secure. During a connection, lots of information passes between two computers, including what may be highly confidential data such as credit card numbers, user identification numbers or even passwords.

Under normal circumstances, this data is sent in plain text, which means that if the connection were to be intercepted by a third party, that data could be stolen. SSL prevents this by mandating an encryption algorithm to be used during the connection on both ends.

The padlock, or green padlock icon has become an assurance indicator to users that the website they are visiting takes their security seriously.

Indication of SSL on different Internet browsers.

 

Why do we need a SSL Certificate?

Originally the common question to ask was “Do we need a SSL certificate”.

And the typical answer would be ‘it depends’. After all, why would websites that did not need to handle sensitive financial-related data need to be so secure?

Unfortunately, as mentioned earlier, the age of digital has meant that aside of immediate cash, hackers today have increasingly begun to go after personal information.

The Google Factor

Recognizing this, beginning July 2018, Google will be labelling all standard HTTP pages as non-secure. This is important to recognize, because it means that sites recognized as being non-secure by Google might suffer a search ranking penalty. Websites thrive on traffic and if you’re not showing up on Google listings, then you won’t get much in terms of website traffic.

Tips from the pro

If there was a ranking improvement, it was negligible. Despite this, having SSL was still a smart move.

It’s a trust signal and it avoids the possibility of Chrome displaying ‘not secured’ on your site. And while the direct ranking benefits may be small at the moment, it’s possible that they may be more significant in the future.

I’d initially held off switching to SSL. I’d heard a lot of horror stories of traffic nose diving and not recovering. Fortunately this wasn’t the case. Traffic dipped slightly for around a week, then came back.

– Adam Connell, Blogging Wizard

According to the Google Online Security Blog, as of the beginning of 2018, over 68% of Chrome traffic on both Android and Windows has been protected and 81 of the top 100 sites on the web are already using HTTPS by default.

HTTPS connection via Google Chrome on different platforms.
Percent of page loads over HTTPS in Chrome by platform. 64% of Chrome traffic on Android is now protected. Over 75% of Chrome traffic on both ChromeOS and Mac is now protected. All three figures show significant increment compare to a year ago.

For now, you might not need an SSL Certificate yet, but it might be wise to seriously consider implementing one. Although at this point Google is only issuing warnings and penalizing search rankings, given the state of cybersecurity today, it likely isn’t going to stop there.

How SSL Works

Simplistically speaking, there are three main components in creating a connection;

  1. The Client – This is the computer that is requesting for information.
  2. The Server – The computer which holds the information being requested by the Client.
  3. The Connection – The path along which data travels between the client and server.
How SSL works - the difference between HTTP and HTTPS.
HTTP vs HTTPS connection (Source: Sucuri)

To establish a secure connection with SSL, there are a few more terms you need to be aware of.

  • Certificate Signing Request (CSR) – This creates two keys on the server, one private and one public. The two keys work in tandem to help establish the secure connection.
  • Certificate Authority (CA) – This is an issuer of SSL certificates. Sort of like a security company that holds a database of trusted websites.

Once a connection is requested, the server will create the CSR. This action then sends data which includes the public key to the CA. The CA then creates a data structure which matches the private key.

The most critical part of the SSL Certificate is that it is digitally signed by the CA. This is vital because browsers only trust SSL Certificates signed by a very specific list of CAs such as VeriSign or DigiCert. The list of CAs are stringently vetted and must comply with security and authentication standards set by the browsers.

Types of SSL Certificates

Browsers identify SSL Certificates (EV Certificate is shown in this image) and activate the browser interface security enhancements.

Although all SSL certificates are designed for the same purpose, not all are equal. Think of it like buying a phone. All phones are basically designed to do the same thing, but there are different companies that manufacture them and produce many different models at varying price points.

To simplify the matters, we break down the SSL Certificate types by level of trust.

1- Domain Validated (DV) Certificate 

Among SSL Certificates, the Domain Validated Certificate is the most basic and simply assures users that the site is safe. There is not much detail except for that simple fact and many security organizations do not recommend using Domain Validated Certificates for websites that deal in commercial transactions. The Domain Validated Certificate is the budget smartphone of the SSL world.

2- Organization Validated (OV) Certificate

Organizational Certificates holders are more stringently vetted are by CAs than Domain Validated Certificate holders. In fact, the owners of these certificates are authenticated by dedicated staff who validate them against government-run business registries. OV Certificates contain information about the business holding them and are often used on commercial websites and represent the midrange smartphones of the SSL world.

3- Extended Validation (EV) Certificate

Representing the highest level of trust in SSL rankings, EV Certificates are opted for by the best of the best and extremely stringently vetted. By opting to use EV Certificates, these websites are buying deeply into consumer trust. These are the iPhoneX of the SSL world.

The fact that SSL Certification has become so highly recommended today, many fraud websites have also taken to using SSL. After all, there is little difference to the websites, except for the green certification padlock. This is the key reason more reputable organizations are going for SSL Certification that are more highly vetted.

Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites. – Wikipedia.

How to Choose the Right Certificate Authority

Certificate Authorities are like private security companies. They are the ones who issue digital certificates that facilitate the SSL establishment process. They also belong to a limited list of businesses that meet detailed criteria to maintain their place on that list. CAs who maintain their place on that list can issue SSL Certificates –  so the list is exclusive.

The process is not quite as simple as it sounds, since before a certificate can be issued, the CA must check the identity of the website applying for it. The level of detail in those checks depend on what type of SSL is being applied for.

The best CA is one who has been in the business for some time and follows best practices in business, not only for itself but also for any partners associated with the business. Ideally, they should also be able to demonstrate proven expertise in the field.

Look for a CA that stays up to current standards, are actively involved in the security industry and has as many resources as possible that support their customers.

A good CA would also;

  • Have reasonably short validation times
  • Be easily accessible to its customers
  • Have great support

List of Reputable SSL Providers to Consider

* Note: Features are reflective of basic plans offered by the service providers. For detailed plans please visit the individual service providers.

1- SSL.com

Already providing SSL certificates to major organizations such as Cisco and HP, SSL.com has been in the business for close to 20 years now.

This strong history is backed by a warranty with each certificated issued, the amount of which depends on the certificate you purchase, ranging from $10,000 to $2 million.

SSL.com

Notable Features

  • Automated Validation
  • 99% Browser Compatibility
  • Unlimited Server Licenses
  • Unlimited Reissuances and Key Pairs
  • Includes WWW
  • Activates SSL Secure Site Seal
  • 2048-bit encryption
  • 30 Day Unconditional Refund
  • 90-day Courtesy carryover coverage

Price from $36.75/year

Site: https://www.ssl.com 

 


 

2- Comodo

Already known as a cybersecurity solutions provider to both businesses and consumers, Comodo covers all levels of user interest, from individuals to large scale enterprises.

Offering up to 2048-bit encryption, Comodo certification is trusted and comes with phone support and up to $250,000 in warranty. You can get their packages for as little as $99.95.

Comodo SSL

Notable Features

  • Fast online automated validation
  • 256-bit Encryption, 2048-bit root
  • 99.9% browser recognition
  • SSL certificate management tool
  • PCI scanning service
  • Trustlogo site seal
  • Phone, mail and web support
  • Website vulnerability scanning
  • 30-day money-back guarantee

Price from $99.95

Site: https://www.comodo.com

 

* Note: Comodo SSL is also sold directly at InMotion Hosting and Hostgator – you can purchase directly from your web host. 

 


 

3- GoDaddy

A name that many website owners already know and trust, GoDaddy has complemented its services with SSL certificates that go for as low as $75.15. As it sells its web hosting packages, there are also opportunities for discounted initial purchases of SSL Certificates which cost more upon renewal. This makes GoDaddy a good one-stop service provider for website owners.

Godaddy SSL

Notable Features

  • Secures one website
  • SHA2 & 2048-bit encryption
  • Available in DV, OV and EV SSL Certificates
  • EV SSL turns browser bar green
  • McAfee SECURE trustmark

Price from $75.15/year

Site: https://www.godaddy.com/

 


 

4- NameCheap

Another web hosting and domain name provider like GoDaddy, NameCheap offers the full gamut of SSL certificates so you’ll find something there no matter what your requirements or budget. Standard Domain Validation certificates start from $8.88 per year, but there are also premium certificates that go for up to $169 per year.

Notable Features

  • Domain Validation
  • Single Domain
  • 256-bit encryption

Price from $8.88/year

Site: https://www.namecheap.com/security

 


 

5- DigiCert

One of the oldest and strongest names in SSL, DigiCert is used by most of the top dogs on the Internet including Microsoft, Wikipedia and Amazon.com. They too offer up to 2048-bit encryption and clock in at $175 per annum at the lowest end.

Notable Features

  • 24/7 support
  • 256-bit encryption
  • Trusted by over 99.9% of browsers
  • Highest-rated CA for customer service worldwide
  • Free reissues and replacements for the lifetime of the certificate

Price from $175/year

Site: https://www.digicert.com

 


 

6- GeoTrust

GeoTrust is also an industry stalwart and a good option for those who might balk at DigiCert prices. Basic protection starts from $149, with a $500,000 warranty even with the most basic option. More than 100,000 customers in over 150 countries have committed themselves to GeoTrust protection.

GeoTrust SSL

Notable Features

  • Up to 256-bit Encryption
  • 2048-bit root
  • Alternative Name (SAN) multi-domain support
  • Fast Domain Validation
  • 99+% browser compatibility
  • $500,000 Warranty

Price from $149/year

Site: https://www.geotrust.com/

 


 

7- Network Solutions

With SSL certificates starting from $59.99 per annum, Network Solutions is impressive because it comes with a warranty of $10,000 even at that price. However, they do enforce a 2-year lock in period, but that shouldn’t be a major problem. The company operates under the web.com group.

Notable Features

  • Domain Validation
  • 256-bit Encryption
  • Fast certificate validation
  • $10,000 Warranty

Price from $59.99/year

Site: https://www.networksolutions.com/

 


 

Who to buy from?

There are SSL Certificate issues and then there are SSL Certificate experts. Choosing the lowest bidder might be slightly easier on your wallet, but like I’ve mentioned many times over in this article, it’s a matter of trust.

Think of who you would rather buy a product from – for anything else – then consider your options on SSL providers. Also, beyond the price, make sure that the features offered are also compatible with your needs. Aside from the certifications and trust, different providers offer different levels of support. Look beyond the hype and fancy names and go for what you really need.

 


 

Free SSL: Let’s Encrypt

For those of you who are running personal or hobby sites, or anything that’s non-commercial, there is an out for you that is nonetheless acceptable to Google.

Let’s Encrypt is a trusted CA that is open and free to use (). Unfortunately, it only issues domain- or DNS-validated certificates with no plans to extend this to OV or EV. This means that their certificates can only validate ownership and not the holding company. If you’re a commercial site, that’s the major drawback.

Let’s Encrypt is pre-configured at certain hosting companies (for example- SiteGround and A2 Hosting). If you plan to go with Let’s Encrypt Free SSL, it’s best to host with one of these web hosts.

Standard Let’s Encrypt SSL is free with all hosting accounts and auto-installed to all domains with SiteGround.

Users can switch to HTTPS (using Let’s Encrypt at Siteground) in just a few simple clicks.

To check your free standard Let’s Encrypt SSL certificates at SiteGround, login to cPanel > Security > SSL / TLS Manager > Certificates (CRT).

Starting from March 29, 2018, Let’s Encrypt Wildcard SSL is also included (free) in all SiteGround hosting accounts. This would be a time saver for site owners who are running on multiple sub-domains (mail.domain.com, billing.domain.com, etc). Learn more in my SiteGround review.

How to Install a SSL Certificate

SSL Installation for cPanel

Procedures:

  1. Under ‘Security’ options, click on ‘SSL/TLS Manager’
  2. Under ‘Install and Manage SSL’, select ‘Manage SSL Sites’
  3. Copy your certificate code including —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and paste it into the “Certificate: (CRT)” field.
  4. Click ‘Autofill by Certificate’
  5. Copy and paste the chain of intermediate certificates (CA Bundle) into the box under Certificate Authority Bundle (CABUNDLE)
  6. Click ‘Install Certificate’

* Note: If you are not using a dedicated IP address you will have to select one from the IP Address menu.

SSL Installation for Plesk

Procedures:

  1. Go to the Websites & Domains tab and choose which domain you’d like to install the certificate for.
  2. Click ‘Secure Your Sites’
  3. Under the ‘Upload Certificate Files’ segment, click ‘Browse’ and choose the certificate and the CA bundle files necessary.
  4. Click ‘Send Files’
  5. Go back to ‘Websites & Domains’ then click on ‘Hosting settings’ for the domain you’re installing the certificate on.
  6. Under ‘Security’, there should be a drop-down menu for you to select the certificate.
  7. Ensure the ‘SSL Support’ box is checked.
  8. Make sure you click ‘OK’ to save changes

To validate if your installation was successful, you can use this free SSL validation tool.

Update your website’s internal links

If you check your website’s internal links you will notice that they are all using HTTP. Obviously these need to be updated to HTTPS links. Now in a few steps we’ll show you a way to do this globally using a redirection technique.

However, it is best practice to update your internal links from HTTP to HTTPS.

If you’ve got a small website with just a few pages that shouldn’t take too long. However if you have hundreds of pages it would take ages so you’d be better off using a tool to automate this to save time. If your site runs on database, perform database search and replace using this free script.

Update links pointing to your site

Once you switch to HTTPS if you have external websites linking to you they will be pointing to the HTTP version. We’ll be setting up a redirection in a few steps time, but if there are any external websites where you control your profile then you can update the URL to point to the HTTPS version.

Good examples of these would be your social media profiles and any directory listings where you have a profile page that’s under your control.

Setup a 301 Redirect

OK onto the techie bit and if you’re not confident with this type of thing then it’s definitely time to get some expert assistance. It’s pretty straightforward and doesn’t take much time at all in fact, but you just need to know what you’re doing.

With a 301 Redirect what you’re doing is telling Google that a particular page has been permanently moved to another address. In this case you’re going to tell Google that any HTTP pages on your site are now HTTPS so it redirects Google to the correct pages.

For most people who use Linux web hosting this will be done through the .htaccess file (see code below – as per Apache recommendation).

 ServerName www.example.com
Redirect "/" "https://www.example.com/"

Update Your CDN SSL

This is actually an optional step because not everyone uses a CDN. CDN stands for Content Delivery Network and it’s a geographically distributed set of servers that store copies of your web files and they present them to your visitors from a geographically close server to improve the speed that it loads for them.

As well as performance improvements, a CDN can also offer better security because it’s servers can monitor and identify malicious traffic and stop it reaching your website.

An example of a popular CDN is Cloudflare.

Either way, just ask your hosting company if you are using a CDN. If you aren’t fine, just move on to the next step.

If you are then you need to contact the CDN and ask them for instructions to update your SSL so that their CDN system recognizes it.

Common SSL certificate errors and quick solutions

1- SSL Certificate not trusted

Almost all browsers in widespread use such as Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari have built in repositories that are used to recognize trusted SSL Certificates.

If you’re getting a message stating that a site has a certificate which is not trusted, exercise caution as that is likely to mean that the certificate present was not signed by a trusted CA.

2- Intermediate SSL Certificate missing

This error is often caused by an incorrectly installed SSL Certificate. Errors during the installation procedure may lead to some SSL connection errors. There should be a ‘chain of trust’ meaning that all necessary components in the signing process should run unbroken.

If you’re a website owner and encountering this error, try referring to the section I’ve covered on ‘SSL Installation’.

3- Problems with Self-Signed Certificates

To circumvent SSL issues, some website owners create their own SSL Certificates. This is possible, but do not make much of a difference since it won’t be signed by a trusted CA. The only time that self-signed certificates are likely used are in test or development environments. Sites with self-signed certificates will not be shown as secure.

4- Mixed Content Errors 

This is a configuration problem. For SSL Certificates to work, every single page and file on your site should be HTTPS linked. This includes not only pages, but also images and documents. If a single page is not HTTPS linked, the site will encounter a mixed content error and revert to HTTP.

To avoid these problems, make sure your links are all updated with HTTPS links.

Conclusion

At the end of the day, SSL Certificates are a win-win situation. Yes, it may be forced upon us by big businesses such as Google, but there’s really very little downside.

For a small price, you can assure customers of the security of their data and privacy. Customers on the other hand, can regain faith in digital technology, a field that has increasingly been blighted by Hackers, Spammers and other Cybercriminals.

eCommerce is one of the key pillars towards the digital economy and has helped increase cross-border trade now more than ever before. By keeping data safe and secure, as website owners you can personally contribute to Internet security too.

Lastly, when choosing your SSL, try to avoid just keeping your eye on the price and do your best to always revert to one simple word when you’re feeling lost or confused; Trust.

Article by Timothy Shim

Timothy Shim is a writer, editor, and tech geek. Starting his career in the field of Information Technology, he rapidly found his way into print and has since worked with International, regional and domestic media titles including ComputerWorld, PC.com, Business Today, and The Asian Banker. His expertise lies in the field of technology from both consumer as well as enterprise points of view.

Get connected: