In the past, using an SSL Certificate as part of your website’s hosting configuration was something only for ecommerce sites or those managing extremely sensitive information. However, it is now considered the best practice for all websites. There is still a lot of confusion on what this means and why you need to pay attention to this easily overlooked detail. Blue Tangerine recommends that all websites now use SSL, and we are working with our clients to upgrade any sites that still do not incorporate SSL into their hosting.
What is SSL?
The data that typically comes to mind is information that is submitted via a form on a website. This data includes information found on a checkout form, a contact form, a newsletter subscription form or a login form. However, SSL also protects the data coming from the server back to your web browser, which ultimately includes any information that the site might display.
The certificate is the file that is purchased from an SSL vendor and installed on the web server as part of the hosting configuration. SSL Certificates are typically purchased on a subscription basis for a period of 1 to 3 years and require a renewal when that subscription ends.
How can I tell if a site is using SSL?
To help better inform users, web browsers provide more accessible information by clicking near the URL in the browser’s address bar. The browser will deliver warnings if there are any of the sub-elements of the page that are not using SSL. Most modern browsers now display a lock symbol near the address if the page and all of its components are properly secured.
Why is there such an emphasis on doing this now?
In 2014 Google started pushing for all sites to use SSL as a way to try and elevate overall data security online. Google also gives preference to secured sites in their ranking algorithm, which means that adding SSL to your site will help improve search engine rankings. (see https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html).
Two relatively recent events have made these migrations and upgrades easier and more attractive. First, the server technology that allows SSL Certificates for different sites to operate in shared IP Address hosting environments has matured and has now become mainstream. This significantly reduces the hosting requirements for sites to use SSL since a dedicated IP Address for each website is no longer required.
Second, beginning in October 2017, Google started showing a more prominent “Not Secure” warning in the Chrome browser when users start entering data on site pages that contain forms. Because the typical user doesn’t really understand what this warning is referencing, this has the risk of reducing the user’s trust in the site and potentially reducing conversion rates. And, in July 2018, Google plans to show the “Not Secure” warning in the Chrome browser for ALL non-secure pages.
Image source: Google Security Blog
Does SSL prevent my website from being hacked?
While SSL does perform an important role in protecting the data used on your website, by itself SSL does not provide complete security for your site’s code. There are many different avenues and attacks that hackers use to try and compromise a website and access its data. A secure hosting environment is a combination of web server and firewall configurations, as well as secure coding practices that go far beyond just having an SSL certificate installed.
My site needs SSL, so what is involved in updating my site?
To migrate a site properly to SSL requires a few more steps than just installing the SSL certificate and starting to use https with your site links. A comprehensive migration project will include the following tasks:
- Purchase the SSL certificate software
- Configure the web server with the SSL certificate software
- Review and convert all scripts, included files, images and links to use secure references within the website’s code
- Review all database and CMS accessible content to ensure that there are no hardcoded links or images using non-secure link protocols and update the content as needed
- Create search engine friendly (301) URL redirects to force all old site page URLs to https from any existing external links (Google considers the http and https versions of your site to be two different sites, and because their content is identical, if you miss this step then you open your site up for duplicate content penalties and a negative impact on your search engine rankings)
- Reconfigure Google Search Console and Bing Webmaster Tools to use the new https site version
- Generate a new XML sitemap and upload to the site
- Submit the updated XML sitemap to Google and Bing
Updating your website to a fully 100% SSL hosting configuration is an important task to accomplish as soon as you can. Your site’s users and your search engine rankings will thank you. For assistance in making your migration, contact us at Blue Tangerine today.