Going off our last post on responsive design, another area where you should try to upgrade your website in 2016 is security.
Just as you likely enjoy logging into certain websites and knowing that your information and passwords are kept secure, so should you try to foster the same experience for each of your online visitors. Especially if your website has a shopping cart, you need to make sure that the sensitive information your customers enter doesn’t fall into the wrong hands.
Not only could you lose visitors by not having a secure site (even if they only log in to post comments), but many SEO-related ramifications are latent for websites that have yet to upgrade their security.
In this comprehensive blog post, we take a closer look at:
- What exactly is an SSL certificate
- The different kinds of security certificates
- The rationale behind upgrading your site’s security
- How you can approach the upgrade process
SSL Certificate Definition and its Usefulness
SSL stands for “secure socket(s) layer.” It’s a type of technology that establishes a secure connection between a user’s browser and the hosting server of the website he or she is visiting, so long as the website has a valid SSL certificate. The certificate is made up of a digital computer file or small piece of code. Generally, SSL certificates are only valid for one domain (web address) and corresponding server at a time.
When someone is visiting an SSL-certified website, they are essentially handed their own personal key to unscramble the content of the site and view it normally for the entirety of their desired session. All communication between the user and the website (or the hosting server, more specifically) during this time is encrypted, meaning hackers can’t spy on the user’s session, insert malware and steal personal information.
Besides individual websites, SSL is also valuable for sending and receiving secure email, files, instant messages and other forms of sensitive information.
How to Look for an SSL Certificate
To see if a certain website has an SSL certificate, open up the site and look to the left-hand side of the address bar. Look for a padlock icon and possibly some other information that precedes the actual URL of the site.
Take our site, for example. Your browser should show you the padlock icon and our full company name before the URL. Below is what it looks like in the Firefox browser. The way Chrome displays it is not much different.
If you actually click in that area, you will be given even more information about the company that operates the website as well as the third-party Certificate Authority (CA) that verified and approved the site’s security.
Here’s how that information is shown in Chrome:
On some websites, you may only see the padlock icon to denote an SSL certificate. This icon is still clickable and can show you the issuing certificate authority. Take one of our favorite websites for SEO-related news and advice, Moz, for example.
There’s a reason the business’s name doesn’t show up in the address bar ahead of the URL. I’ll get to that phenomenon later.
Another attribute to look for in a secure website is an “s” in the protocol of the URL. In other words, look for “https” instead of the previous standard of “http.” You’re probably seeing dozens, if not hundreds, of sites slightly updating their addresses in this manner. All the HTTPS stands for is “secure hypertext transfer protocol.”
You also might see HTTPS called one of the following:
- HTTP over TLS
- HTTP over SSL
- HTTP Secure
What is Transport Layer Security (TLS)?
SSL has actually long been phased out by a similar technology called transport layer security (TLS). However, it’s still common for techies and certificate authorities to say SSL when referring to either technology. For some reason, the term “TLS certificate” never really caught on.
Both SSL and TLS are also known as cryptographic protocols. If you’re wondering, the internet is now actually up to TLS 1.2, while version 1.3 is supposedly in the works.
Different Types, Strengths of SSL Certificates
Not all SSL certificates are created equal. Some companies can even sign their own SSL certificate, although this isn’t the recommended route. Below is an overview of some of the most common SSL certificates on the market:
- Self-signed certificate: A basic certificate generated for internal purposes and not issued by a certificate authority. This type of certificate obviously isn’t fully authenticated nor as strong as an SSL certificate issued by a CA.
- Domain validated certificate: A quick verification check is performed to ensure the applicant owns the domain for which he or she wants an SSL certificate. The applicant can get away with not even being a valid business entity, however, which is why this kind is considered an entry level SSL certificate.
- Fully authenticated SSL certificate: The business needs to pass a number of validation procedures and checks to receive this type of certificate for a domain. These certificates take longer to obtain, but they denote a stronger level of online security.
- Wildcard certificate: For websites with several subdomains, a wildcard certificate is a sensible option to secure the entire collection. For example, Yahoo’s subdomains show up as sports.yahoo.com, news.yahoo.com, etc. Yahoo is secure domain, and may very well be utilizing a wildcard certificate.
- SAN (subject alternate name) certificate: This kind of certificate is similar to a wildcard one, but it allows more than one domain to be included in a single SSL certificate. This type works for websites with one or more microsites, but it takes time for each domain to be verified and authenticated before a CA issues the certificate.
- Extended validation (EV) SSL certificates: Websites with this type of certificate have met the highest standards for authentication. The address bar turns green in most browsers when a user visits an EV SSL-certified website. The true owner of the domain and its country of origin will be displayed in green in the address bar. For reference, check out our site, which recently received its EV SSL certification.
The SEO Value of SSL Certificates
Google is continually making moves to make the web a more secure place. And, by golly, what Google wants, Google usually gets.
HTTPS Pages First
In 2014, websites and individual web pages an HTTPS prefix began to get a leg up in the search engine rankings. Near the end of 2015, Google announced through its Webmaster Central Blog that it will start to index the HTTPS version of web pages first, as we wrote about in our January newsletter. Several websites have HTTPS and HTTP versions of the very same page. Even if a site’s navigation directs a user to only HTTP pages, Google will still soon take the HTTPS version of those pages, if available, and feature those in the search results.
Flagging Unsecured Websites
As reported on Motherboard last month, Google appears set to flag unencrypted sites as insecure in the near future. Presenters at the Enigma security themed conference in San Francisco postulated how this might look on Chrome browsers. As you may have seen on HTTPS sites that are actually not secure, Chrome will display a padlock icon with a red “x” over it to the left of the URLs of unsecured websites.
Here’s what the icon looks like if you enable higher security settings in Chrome.
As speculated, Google may soon deploy that icon on all HTTP sites across the web for Chrome users.
Motherboard noted that Mozilla and Apple have also jumped on the web encryption train, and that the U.S. government has called for all .gov sites to be upgraded to HTTPS by the end of 2016. Ironically, Motherboard itself is not an HTTPS website, but who’s counting?
Upgrading Your Website to HTTPS
So, all of the big players on the internet already have their sites upgraded to HTTPS, right? Surprisingly, the answer is no.
News organizations seem to be lagging behind when it comes to obtaining their SSL certificate. Big names like CNN, The New York Times, USA Today and more all still have non-secure protocols – as of this writing, at least.
Other major websites are part-HTTP, part-HTTPS. If you type “Amazon.com” in the address bar in Firefox (or if you just search Google for “Amazon”), you will be taken to an HTTP homepage. All navigational and product pages are also non-secure from there.
However, as soon as you try to log in or view your shopping cart, you will be taken to an HTTPS page.
Amazon actually does work it you type “https” at the start of its URL in Firefox, or if you type just “Amazon.com” in the Chrome address bar, so the company must be in the process, however long, of fully securing its massive site – or at least making sure the user only gets directed to HTTPS pages.
If your website has a shopping cart or any page that asks to user to log in and give some amount of personal information, then you need to look into get those pages secured right away. Users will flee if they can’t trust your website to protect their personal info. A 2014 survey in the U.K. found that 85 percent of online shoppers avoid unsecured websites when making a purchase.
Certificate Authority Options
Now that you’re surely convinced your website needs its SSL certificate, let’s look at some reputable CAs that can vet your company and issue the most reliable seals of approval.
Symantec, producer of the popular Norton AntiVirus software, claims to have secured two-thirds of all websites that have an extended validation SSL certificate. The annual price for Symantec to be your CA is quite high, though. Below are some other CA options, ranked by highest to lowest annual fee for a starter certificate:
- DigiCert (our EV certificate provider)
- Instant SSL by Comodo
- Network Solutions
Website Security for 2016 and Beyond
While Google has yet to announce that it will no longer feature any HTTP content in its search results, I wouldn’t put it past the web leaders to make such a move in the far-off future. Start upgrading your site’s security today so it won’t get left behind in search if Google ever decides to make such a drastic move.
A legitimate SSL certificate for your website not only helps with organic search engine rankings, but it also lets your visitors know that they have found the authentic domain for your business, rather than a specious alternative that scammers often like to create.
If you’re short on time to undergo the often arduous, long-winded task of receiving an extended validation SSL certificate, Eminent SEO can find and work with a trusted CA on your behalf, as part of our Website Development Services.
In our next post on developments to look for in 2016, we’ll explore the difference between mobile websites and mobile apps and let you know which one is more worthy of your investment going forward.