SSL certificates are becoming more and more prevalent within the online landscape. Once the domain of large online stores and big brands, the humble SSL certificate is slowly but surely finding it’s rightful place protecting each and each every website. As the online consumer becomes more savvy, they are expecting to see the security padlock symbol or the glow of the green bar. This demand for site security can often put the webmaster into a tail spin, however the good folk at WooThemes have put together this handy little guide to SSL certificates for eCommerce to take away all the confusion.
Part of the process of starting an online store is finding a way to secure the experience for your shoppers. You want your potential customers to feel safe, of course, and to know that their data isn’t going to fall into the wrong hands.
If you’re new to eCommerce, you might have heard some chatter about SSL certificates or HTTPS as part of this security process. And you might be utterly confused by it. Relax — that’s normal, and we can help.
SSL sounds like a complicated topic, but once you understand the premise and why your store might need it, it’s not something you’ll have to spend any time worrying about. In fact, for most store owners, you can get a certificate to add SSL to your store in just a few minutes.
Let’s go over what SSL is, why you might need it, and how you can go about getting a certificate for your store. At the end of this post, your confusion should be gone, and you should be even more prepared to start selling online.
The SSL certificate explained
To understand what an SSL certificate is and why you might need one, let’s first take a quick look at the technology behind it.
A quick lesson on SSL
SSL stands for “Secure Sockets Layer,” though it is also sometimes called “Transport Layer Security” (or TLS). SSL on its own it is a protocol used to secure and protect transactions — though not necessarily financial ones — between destinations on a network.
SSL relies on encryption to make these transactions private. Each message transmitted must pass an internal check for the integrity of this encryption before it succeeds. If the check fails (due to data corruption, or any unexpected attempt to alter or capture the data), the encrypted data will not be exposed.
We use SSL every day when we browse common websites like Facebook, YouTube, and online stores. The encryption used prevents those with malicious intent from intercepting transactions as innocent as your search queries… or as dangerous as your credit card information.
How SSL applies to website certificates
When a website wants to secure its transactions, it will obtain an SSL certificate for that domain. The SSL certificate applies the encryption described above to all website activity, including page and form submissions, financial transactions, and so on. This prevents data theft or other such attacks.
SSL certificates also contain important security information, including:
- Company name
- Company location
- Length of time the certificate is good for
- Details of the authority who issued the certificate
This allows individuals who are uncertain about a website’s authenticity or trustworthiness to click the green “lock” icon in their browser to review more information. If they still do not feel secure, they are able to exit the site.
How to know if a website uses SSL/TLS
There are two quick ways to tell if any given website has an SSL certificate. Look for:
- A green “lock” icon in the address bar, and
- A URL that starts with https instead of http
Depending on how the site uses SSL, this might not apply to every page — as you’ll learn below.
How the usage of SSL is changing
For quite some time, the Internet standard was that SSL certificates were only recommended for domains or specific pages of websites where sensitive information (such as financial data) would be transmitted or received. However, that recommendation is slowly changing.
In August of 2014, Google announced that website security would be added as a “lightweight ranking signal” for results in its search engine. This meant that a website secured with SSL/TLS stood a better chance at ranking higher for a query than an unsecured one, assuming all other factors were the same.
From the announcement:
We’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal […] while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe.
Over the past year, the potential implications of this change have caused many website owners — not just store owners — to encrypt their sites with full SSL certificates, changing their URLs to “https” instead of “http.”
However, this doesn’t require anyone to secure their entire site with SSL. Should they choose, website and store owners can still place all their sensitive pages on a subdomain, and purchase a certificate for that domain alone, leaving the rest of the pages unencrypted.
How to know if your online store needs SSL
Reading all this, you might be convinced that you need a SSL certificate. After all, security is important to you, right?
However, if you don’t capture or store any sensitive data, you might not actually need a certificate. This might sound strange, so let’s dig in.
The most common scenario that causes store owners to be exempt from needing SSL is the usage of an offsite payment processor — for example, PayPal. This is because PayPal is responsible for capturing and storing all of your customer’s sensitive payment information, so it is never stored in your database.
Offsite payment processors have their own security standards, certificates, and methods of securely passing data from and to your store. Therefore you don’t necessarily need SSL, because they’ll have it covered.
Another scenario is if you don’t allow customers to create accounts or logins involving passwords of any kind. Even if you use a third-party, entirely offsite payment gateway, you might still have customers creating accounts with you to save their shipping and billing addresses.
While this is far less sensitive information, many customers tend to use the same password for every account. So a bit of reverse engineering could lead a hacker to gaining access to, say, a shopper’s email account, bank account… you name it. This means that unless account creation is disabled on your store, you’ll need SSL to protect those passwords and logins.
To recap, the two factors that can eliminate SSL as a requirement are:
- Usage of a fully off-site payment gateway, and
- Absolutely no account or password functionality allowed by customers
If you don’t have both of these factors in place, you’ll need a certificate for your store. And even if you do, you should still consider it, given the possibility of HTTPS becoming more important for rankings — and customer peace of mind — in the future.
Need SSL? How to get a certificate (two ways)
The standard way to secure your store with SSL until very recently was to pay a third party for a certificate. There’s now another option, however, as mentioned during The State of the Word at WordCamp US.
Here are two ways you can secure your store and keep your customers happy.
Paying for a certificate
SSL certificates can be purchased from a wide variety of third parties. Many domain resellers offer them to their customers (sometimes even bundled with your domain name), and there are also independent companies who sell only SSL certificates.
Your best bet might be to start with the company from which you purchased (or are planning to purchase) your store’s domain name to determine if they offer certificates or any kind of bundle. If not, a simple search should turn up multiple reliable options.
Before you buy, spend a few minutes carefully considering the type of certificate you need. Basic SSL certificates only cover one domain — ex. example.com or subdomain.example.com. But you can also purchase multi-domain certificates, or “wildcard” certificates to cover multiple subdomains (example1.domain.com, example2.domain.com…).
Pricing for paid certificates typically ranges from $30US to $50US per year for single domains, and up to $300US per year for multi-domain or wildcard options.
Free certificates from Let’s Encrypt
The Internet Security Research Group (ISRG) currently has a program called Let’s Encrypt in public beta. Let’s Encrypt allows anyone to secure their site with SSL/TLS for free — effectively giving website and store owners a free, permanent SSL certificate.
The catch: Let’s Encrypt isn’t quite as straightforward as working with a domain registrar to purchase and install your certificate. It’s also still in beta, so bugs are possible. However, it is still completely free, and open source at that.
If you’re interested in going this route, we recommend sending the Let’s Encrypt documentation to your developer, who can determine the plugin and client you need for your server, and handle the certificate installation process for you.
The consequences of not having a certificate
You might be wondering “what happens if I ignore all this and just don’t get an SSL certificate?”
Truthfully, nothing might happen. But there could also be dire consequences, including:
- Shoppers losing trust in you because your store appears unsecured
- Unsavory individuals “spoofing” your store because there’s no way to prove you are the real owner or manufacturer of your goods
- A hacker using reverse engineering to hijack a customer’s email, social media, or other online account with information gained from your store
- Theft of sensitive personal or financial data stored on your server
- The public and potential financial backlash caused by any one of the above events
As you can see, it’s better to simply pay for an SSL certificate and have the peace of mind than it is to risk it. Even having potential customers pester you about that missing lock icon — and potentially exit without buying because it’s missing — is worth the $30US or so a year, don’t you think?
SSL doesn’t have to be a complicated matter
We hope this introduction to SSL certificates for eCommerce has helped you understand a bit better why you might — or might not — need a certificate for your own online store.
With any luck, SSL and store security should seem much easier for you to grasp now. But if you have any remaining questions, we’ll be more than happy to answer them for you in the comments below! Ask away, we’re always here to help.