Is it necessary to have HTTPS protocol on your website or web application? Even more what about having an SSL certificate?
Have you ever asked yourself this question?
Or maybe you think that an SSL certificate is useless for small projects?
Well, this article will try to explain what an SSL/TLS certificate is and why you should always have one.
You know, the green padlock in the browser that tells you that the web application you are running is secure.
The way the public most often recognises SSL Certificate is that thing that triggers the little green padlock or maybe the green bar at the top of their web browser. This indicates that the web page is using HTTPS for secure communication.
The most basic way to communicate on the web is to use HTTP.
And the term HTTPS stands for 'HyperText Transfer Protocol Secure' and is the secure version of this.
It is used for secure communication over a computer network, and it is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security technology or, before that, its predecessor, Secure Sockets Layer, which is nothing more than SSL.
As the S in HTTPS stands for 'Secure', it adds a layer of security to HTTP.
In fact HTTPS has existed since the existence of the internet. It was usually used to encrypt sites with financial transactions, but with the internet constantly evolving and the many confidential information we share online has meant that over time people have started to use HTTPS.
Well, it certifies ownership of a public key, so we need to know information about who owns it. Usually we have the organization, URL, state and country and also the validity period of the certificate.
Yes, certificates are not valid forever. They are certified for a certain period only and they are certified by an original issuer.
It’s like someone saying: YES, I will validate the fact that this organization, this URL, has this public key. So, all this basic information and some of the technical details, like the type of encryption used, will all be put into a file, a certificate file, and it's usually a file that ends with .crt or sometimes .cer extensions. Now, the contents of this file will not be easily readable by you. If you open one of these files, you will see something that looks like this.
In fact it is an encoded version of this information, and it can be decoded.
You can take it to a web site, you can run tools on your computer that will decode it. It's a way to compress it and make good machine-readable code that can be easily passed over the internet.
Here are a few reasons that totally justify that "Yes installed SSL certificate is important on all your websites".
When we talk about secure communication, we're talking about confidentiality and data integrity. That means that someone cannot intercept your data and see what is being sent through the browser, nor can they change it while it is in transit.
Without an SSL certificate, all data exchanged online such as credit card information, passwords, etc... can be easily intercepted.
Your users are the first to be informed when they visit. Because the browser will give them different notifications such as :
Would you prefer to sleep in an open forest with lots of wild and hungry animals or in a protected house with security guards in the same forest?
In any case, I will choose the house, and yes, I prefer not to imagine myself as a meal
For many users (I admit I'm one of them) here's how it feels to be on website without any SSL certificate:
With an SSL certificate you send a message of a responsible company that takes its visitors seriously. While without one, it seems like you don't think highly of your own brand and you are not really concerned with the safety of your visitors. Like it’s too much effort for you to install SSL/TLS certificate.
Certificates tell us something about the identity of the person who has the particular public key. And beyond that, they also tell us something about the reliability of that person. Now, there are all kinds of issues related to identity and reliability.
Google has inevitably changed the game in the field of web security. First of all, in January 2017, Google Chrome made a change and started marking all HTTP pages, i.e. unsecured pages, that have a password or a credit card field, as unsecured, just to give an important warning.
"Hey user, this page you're about to put your password or credit card on, it's not a secure page."
In October 2017, they took another step forward, and started marking any page with a form on it as not secure, and also, if you thought you were in Incognito mode, and could browse privately, they also marked those pages as not secure.
Then in July 2018, they take another step forward, and they mark all HTTP pages as insecure. Their overall goal is to help users understand that HTTP sites are not secure.
Then they decided that if you're not HTTPS you should be in the lower priority sites to display.
In fact they are not the only ones, all the others like Bing, Yahoo, etc do the same, so you have to update your site protocol.
With Let's Encrypt you have no more financial reason not to have SSL certificates because it is totally free.
Let's Encrypt is a project of the Internet Security Research Group, a consortium supported by many of the leading technology companies, which was launched in April 2016 with the goal of making all web servers use HTTPS.
They recently announced that they have more than 837 million active certificates, and that number is growing rapidly. This means that HTTPS has never been easier to implement than it is today.
For paid solutions you can visit ssls.com which offers the best prices in the world, I believe, but there are also many others.
With an SSL certificate you protect your users or visitors, your data and of course yourself.
This factor is also a key factor in terms of SEO, and the speed of loading pages in HTTPS is better than in HTTP.
To summarize, the SSL certificate protects your data, confirms your identity, improves your referencing and enhances your brand image and all of this you can get for free if you wish.
Actually saying SSL is a bit of a misuse of language because all we have been talking about above is TLS.
TLS, or Transport Layer Security, is considered to be a superior version and much more widespread than SSL.
Even though TLS has now been around five times longer than SSL, nobody really uses SSL to communicate anymore, they really use TLS, but we still call them SSL certificates.
Mostly they are SSL certificates, but some people call them SSL/TLS certificates. Some people just call them TLS certificates. Others try to avoid including the protocol and just call them digital certificates. Or because they certify the public key, you may see them called public key certificates, or because they certify the identity of the person who has the public key, you may see them called identity certificates.
These are all valid names, they are all interchangeable. However, SSL is the most common name you will see on the market, but you should recognize them all and understand why these different names exist.
The primary purpose of a certificate is to be used with encryption. This is because we can encrypt communications and communicate securely between two different computers, usually browser and remote server.
If you would like to know how to choose the right SSL certificate, read this article and learn more about the different types of certificate authorities, different domain scopes and different types of validation.
If you need help with your web security please contact our web development agency. We run the best custom web development agency in Montreal.
Sidick Allalade, is Chief Technology Officer at Oshara INC and co-founder of the Osortoo web application. He loves solving complex IT problems, coding and everything IT. He has a good knowledge of online marketing and IT Governance, Audit and Security.
His experience spans hundreds of projects with companies of all sizes which makes him a valuable asset on any team.
Was this article useful?
By registering, you agree to receive emails from Oshara.
By registering, you agree to receive emails from Oshara.