Security is one of the most important advances in technology these days. Whether it’s WhatsApp encryption or governments wanting access to encrypted devices, there’s a lot of talk about security and the importance of encryption. But one of the biggest pieces of technology being talked about in the security debate has been around for many years – Public Key Encryption. Specifically, SSL, or Securit Sockets Layer.
What is SSL?
SSL is the backbone of our secure Internet. It protects your sensitive information as it travels across the world’s computer networks. SSL is essential for protecting your website, even if it doesn’t handle sensitive information such as credit card data. It provides privacy, critical security and data integrity for both your websites and your users’ personal information.[1]
I use SSL certificates on my websites. You can tell when a site uses SSL because the address bar looks something like this.
My address uses https:// at the start, instead of http://. The “s” means that the connection is protected using an SSL certificate or encryption. The padlock shows us that your browser recognises the certificate as a valid, authenticated, trusted certificate. You usually get these when the certificate has been validated by an external organisation or a Certificate Authority (CA). These are bodies that are specifically established to validate certificates and co-sign that your site is authorised to access secure protocols.
The certificate effectively says
“Hey, this website is using a secure connection. I am the server for mysite.tld and I want to communicate securely with you. This certificate has been signed by another company that has checked us out, so you know you can trust us. Here are the details.”
Your browser will look at the information and say
“Oh, hey! I know this other company, they’re cool! I trust them, so sure, we can talk securely!”
Once that happens, everything between you and my server is encrypted, so most people snooping on our connection would not be able to see what’s going on. It would be like listening to people speaking in Klingon – unless you have the right skills and capabilities, you won’t have a clue what is going on.
Information about the security certificates for each site you visit are available. In Microsoft Edge, you need to click “Connection is secure” and then click the certificate icon next to the close button.
If you use Google Chrome, you need to click on “Certificate is valid” to view the certificate information.
A window will pop up giving you information about the certificate and the authority that has verified the certificate.
In Mozilla Firefox, the process is a little different. You can see who has verified the certificate by clicking on “Connection secure”. If you click on “More information” and then “View certificate” in the window that pops up, you can view all of the technical information about the certificate.
With the disclosures over recent years of governmental organisations and spy agencies being able to view your traffic, as well as leaks of personal information, people are understandably nervous about their security. Services such as Google will use SSL certificates on their sites throughout and have higher rates of encryption for services such as Gmail, but smaller sites are getting into the SSL game too. I use SSL on all of my sites as well as client sites, especially when these sites can be used to collect personal information via contact forms. This is then sent over a secure connection and processed accordingly. Information on our servers is also encrypted to avoid any issues with hacks and data theft.
Why do we need them?
SSL certificates allow you to access secure protocols that allow authentication. They’re essential for online stores since those sites collect payment information such as credit cards. Valid SSL certificates are part of the compliance standards for the Payment Card Industry, and sites that don’t have one would be in violation of the standards and should not be trusted. But what if you’re not collecting information about payments? What if you aren’t collecting any kind of personal information whatsoever? Do you still need them then?
You probably do: Google keeps its SEO algorithms private, but in 2014 they announced that websites with valid SSL certificates are given a minor advantage over sites without. That means your site will be given a few extra brownie points for having a valid SSL certificate installed. Google even called for HTTPS to be implemented everywhere. Chrome, Firefox and other browsers are warning users about sites that are not secure, and splash screens and notifications to that effect could have an impact on people visiting your site.
SSL certificates are widely available. A simple search for “SSL certificate authorities” brings up a number of reputable SSL CAs, with some providers selling certificates between £10 and £1000s per year. For a new website, these costs can add up. It might be tempting to cut corners and find free alternatives, but occasionally these are malicious, trying to access information, and generally not to be trusted.
That said, some can be, and they’re supporting Google’s aim for SSL certificates everywhere.
Free SSL certificates that aren’t a scam
SSL certificates are issued based on trust and authentication, so you will want to use a provider that you can trust. Thankfully, there are at least three providers that are incredibly trustworthy and have easy to install certificates. I use two of these in my work and have used the third for some sites with some web hosts.
Cloudflare
CloudFlare is a US-based company that provides a number of online services, including content delivery networks, internet security services and domain name services. They allow you to route your web traffic through their servers to ensure the connection is secure and your website is protected, as well as reduce the direct traffic from your server. The company is based in California and has offices across the world, including London, Singapore, Austin, Boston and Washington. They use a very clever system to encrypt your data and hide your company’s web servers behind theirs, acting as a firewall. Cloudflare has helped mitigate a number of attacks over the years, and this has been even more true during the COVID pandemic.
Long story short, they know their stuff.
Not only that, but their offices in San Francisco, California use a unique and very cool method to generate their security keys – lava lamps.
Their basic services are free of charge and include a DV SSL certificate – an SSL certificate verified against your domain. Setting up your domain with them is fairly easy, and there are guides on their website that will show you how to do this. You need access to the domain to make changes, which Cloudflare takes as sufficient evidence that you own the domain.
Let’s Encrypt
Let’s Encrypt is another free service and is brought to you by the Internet Security Research Group. They are a non-profit certificate authority, issuing and validating DV SSL certificates for website owners. Members of the group include people from the American Civil Liberties Union, Mozilla, Cisco, Google and the Electronic Frontier Foundation. A number of other large companies also support the organisation. They require something to be installed on the server to issue and renew certificates, although some sites will provide services that don’t require this.
ZeroSSL
If you don’t have Let’s Encrypt installed, you can use ZeroSSL to create certificates for your domains. Their free accounts offer three 90-day certificates, which can be renewed free of charge. They offer a few more features than Let’s Encrypt, and can be installed on any server. Installation is relatively easy and there are guides on how to install your certificates on multiple hosting providers. Like Cloudflare and Let’s Encrypt, the SSL certificates provided are domain-validated (DV SSL).
If you want to learn more about the different SSL certificate types, head over to my Instagram page. Different providers will offer different certificate types, and some like the ones listed here will only offer domain-validated certificates.
Want more information?
There’s a lot of information on SSL certificates and the importance of them online, but we recommend checking out this YouTube video by TechQuickie, or you can check out the more technical explanations on Computerphile – Public Key Cryptography, Man in the Middle Attacks & Superfish, and End to End Encryption (E2EE) are videos I recommend.
Want to learn more about SSL certificates? Need support in installing one on your server? Head on down to the comments and let’s discuss.