As malicious attacks become more widespread, aggressive and advanced, security is becoming more important than ever. While there are hundreds of ways you can increase your site's security, there’s one simple thing everyone should do to get off to a good start – getting an SSL certificate. Server packages such as VPS hosting offer SSL certificates to signify to site users that their data is secure.
So what is an SSL certificate, how does it work, and what are the benefits of being certified?
What is an SSL certificate?
SSL is short for secure sockets layer and, in practical terms, is a certification that provides a secure connection over the internet – most commonly between a user’s browser and the website they’re visiting. By encrypting that connection, SSL prevents the interception of data during transmission, which keeps data protected and adds even more benefits on top.
By the way: All of our Web Hosting packages come with SSL certificates as standard.
What does an SSL certificate do?
As you get a better idea of how SSL works, you’ll understand how much your site can benefit from certification. For starters, an SSL certificate can act as visual confirmation to users that your website is a safe and secure environment. This is especially important if you users are asked to input personal information and payment details.
Similarly, making sure you have an SSL certificate helps to build trust with users, who will immediately recognise your site as legitimate and trustworthy. In fact, over 75% of websites now employ SSL and HTTPS as their first line of defence.
How does an SSL work?
An SSL certificate works by encrypting your information, to ensure unauthorised users can’t get their hands on it. Whether you're exchanging data with a website, servers or between two systems, an SSL ensures that only the intended user can read it. This is especially important for protecting sensitive data such as personal info, addresses, card numbers, or financial data when it's being transmitted.
This is how SSL encryption works in a nutshell:
- First, your browser or server tries to connect to a web server that's secured with SSL.
- This triggers a request from your browser or server, asking the webserver to prove its identity.
- In response, the web server sends a copy of its SSL certificate back to your browser or server.
- Your browser or server then checks the SSL certificate to see if it's legitimate. If everything checks out, it lets the web server know the site can be trusted.
- Once that's done, the web server sends a digitally signed message back to your browser or server, starting an SSL-encrypted session.
- From this point on, all the data transmitted between your browser or server is encrypted and protected from prying eyes.
This whole process of exchanging info and verifying things is called an "SSL handshake," and even though it may sound complicated, it happens in a matter of milliseconds. You’ll barely notice it happen!
What does an SSL certificate show?
You can easily spot websites that use SSL certificates. Their URLs start with "HTTPS" instead of just "HTTP" – that "S" at the end stands for security. Also, you'll see a padlock icon in the URL bar, which is a visual sign that the site is secure.
But what does an SSL contain? When you click on the little padlock, the following is displayed:
- The domain name the certificate is issued for.
- The individual, company, or device the certificate is issued to.
- The Certificate Authority (CA) that issued the certificate, along with its digital signature.
- Any subdomains covered by the certificate.
- The dates when the certificate was issued and when it expires.
- The certificate's public key (the private key is kept secret and secure by the recipient).
What's the difference between SSL vs TLS?
Standing for Transport Layer Security, TLS is a protocol that encrypts data transferred between a web server and user, just like SSL. On the surface of it, there's not really a huge difference between them. They both do the same thing, but TLS is the upgraded, more secure version of SSL and you'll only find the differences when you dive into the really technical details of how they work.
Many providers like us now use TLS encryption because of the security benefits, but it's still industry-standard to refer to them as SSL certificates. Read more in our SSH vs SSL guide.
Is SSL the same as TLS?
People often use "SSL" and "TLS" interchangeably, but they're not exactly the same.
SSL is the older version, and TLS is the newer one and what’s used today. Both of them are cryptographic protocols that were created to ensure communications over computer networks are as secure as possible.
SSL was actually developed by Netscape back in the mid-1990s. It went through various versions as they worked to fix any security issues and make the protocol stronger. Then, the Internet Engineering Task Force (IETF) came up with TLS as an upgrade to SSL 3.0. They released TLS 1.0 in 1999, and it's been evolving since then.
TLS has had a bunch of updates over the years, and the latest version is TLS 1.3, which came out in 2019. Each new version has improved security features and gotten rid of outdated encryption methods that were used in SSL. So, even though people still say "SSL" when talking about secure web connections, the technology we use today is TLS.
What is a self-signed SSL certificate?
A self-signed SSL certificate is a type of digital certificate that isn't issued by an external Certificate Authority (CA). Instead, it's created and signed by the entity or person who will use it. Unlike certificates from trusted CAs – which confirm the identity of the certificate holder and are recognised by devices and browsers without any extra steps – self-signed certificates are made in-house using the same cryptographic techniques. However, they lack the third-party validation that CAs provide.
While self-signed certificates can effectively encrypt data between a server and a client, they aren't typically the best choice for websites that are accessible to the public. You need some serious technical know-how, but also, they don't necessarily provide assurance of the server's identity to end-users. Browsers often display warnings to users about potential security risks when they come across such certificates. On the other hand, self-signed certificates may be acceptable in controlled environments where trust has already been established, like internal networks, development environments, or applications that require encryption without external validation.
How do I know if I’m using SSL?
The way a website indicates the presence of an SSL certificate differs across web browsers.
An SSL certificate in Google Chrome
If you’re visiting a website in Google Chrome, the main indicator of a valid SSL certificate is the use of ‘https://’ at the beginning of the URL, rather than just ‘http://’.
In terms of a visual indicator, you’ll typically see a padlock icon in the address bar before the URL of the site:
But, Google did announce in 2021 that Chrome M93 would include an experiment that replaces the lock icon in the address bar with a more neutral 'dropdown'-style arrow to improve access to other security information.
An SSL certificate in Microsoft Edge
When visiting your site in Microsoft Edge, it'll look quite similar to what we're used to in Chrome (pre-M93 experiment). If the connection is secure (i.e. has a valid SSL certificate) you'll see a lock icon in the URL bar:
If a site doesn't have an SSL certificate the address bar will indicate an insecure connection with a triangle warning icon:
An SSL certificate in Safari
When visiting a secure site on Safari, it’ll have a padlock next to the URL just like previous examples have shown.
When you click on the padlock, a separate pop-up window will appear which gives you detailed information on the encryption used.
Benefits of SSL certificates
There are multiple benefits to using SSL certificates, so let us run through a few of the main ones:
1. Protect data
We’ve already mentioned it but the main benefit of SSL is protecting data. By encrypting the data being transferred to and from the site, it protects it from being read by anyone malicious who tries to access it. Even if there’s a data breach and some of the data is intercepted, it will make it almost impossible to be understood due to the level of encryption it involves. Your visitors can feel safe in the knowledge that their data is in good hands.
2. Reduce the risk of phishing
Those visual indicators we mentioned above are also key to preventing phishing. If you’re unfamiliar, phishing websites are fraudulent sites made by those who aim to steal user data. They’re often very convincing replicas of legitimate websites, and try to trick visitors into entering their personal information. A valid SSL certificate on your website is an obvious way of showing that you’re the real deal, which can help your visitors avoid phishing attacks.
3. Increase your search engine ranking
How highly a website ranks in search engine results is key to its success. In 2014, Google announced that it would start including SSL and HTTPS as a factor in its search rankings. With so many websites using SSL, the reality is that without a valid certificate, a website is very unlikely to rank highly (or at all). Google visibly supports and endorses the use of SSL certificates to secure your website.
4. Secure your customer payments
The encryption we talked about in point two also obviously applies to payment data. When your customers are sending their card details to your site, having HTTPS in the address bar shows that you’re encrypting and protecting those details. In fact, PCI (Payment Cards Industry) regulations require at least 128-bit encryption on any payment data being transmitted, so if you’re taking payments from customers, having an SSL certificate is the bare minimum.
5. Showing your users you can be trusted
We've mentioned it already but we'll say it again, above all of those technical points, a huge benefit of having an SSL certificate is that your customers know they can trust you.
Without one, visitors trying to navigate to your HTTP-only site using Chrome will be shown an intimidating screen with a warning symbol telling them their connection isn't secure. It’s like having a big warning barrier outside a shop, warning those trying to enter that they might have their wallet stolen if they go in. Visitors to the site then have to click on a very small advance button to actually reach the unsecured website.
How to get an SSL certificate
Getting SSL certificate verification for your domain is pretty simple. General practice is to apply through an independent certificate authority (CA). Because CAs are third parties, their digital signature is considered trustworthy.
Once you’ve received a certificate from the CA, you should apply it to your website through your server. Usually, your website host will handle the activation, after which users will be able to visit your site securely.
Otherwise, many hosting and server providers include SSLs in their packages so all of your sites would be covered.
How much does an SSL certificate cost?
When debating whether to get an SSL certificate, the benefits definitely outweigh the drawbacks. But the most common obstacle that domain owners come across is finding the right SSL certificate for their website.
It's possible to get an SSL certificate for free, but only for up to 90 days, so it's important that you continue updating SSL certificate validity after each period expires. Free certificates offer less complex security features than paid versions and are usually suitable for smaller sites and blogs, rather than businesses.
Alternatively, purchasing a premium SSL certificate will generally cost between £25-50 per year, with prices varying depending on the level of service you require. There are packages that far exceed this cost, while at the other end of the spectrum some basic packages can be bought for as low as £6 per year.
How to update an SSL certificate
Once your SSL certificate expires, your website can become vulnerable to hackers. Fortunately, you can begin the process of updating SSL certificate validity up to 90 days before the expiration date:
- First, generate a new certificate signing request (CSR). A CSR is a portion of encoded text that identifies your company name and domain. You’re required to present this to your SSL provider upon renewal.
- Once you've successfully completed your CSR, you can log in to the account you created when you initially applied for an SSL certificate and choose whether you want a one-year or two-year certification, then confirm your order.
- Once approved, your website will continue to be protected by your SSL certificate.
Looking for cheap web hosting with an SSL certificate? At Fasthosts, we include them for free for the first year with all of our Web Hosting packages. To find out more about what SSL can do for you, contact our expert sales team today.