Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to collectively as “SSL”, are cryptographic protocols for encrypting data sent between the user’s browser and the destination or origin (like a web server).
All the code transmitted between is encrypted so an attacker can’t gain access to it in transit.
Without getting too much into the cryptography, SSL certificates have a key pair: a public and a private key. Only when these keys work together can an encrypted connection be established. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner as well as the Certificate Authority (CA) that issued it.
It turns out, anyone can create a certificate, but browsers only trust certificates that come from an organization on their list of trusted CAs. Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store.
In order to be added to the Trusted Root CA store and thus become a Certificate Authority, a company must comply with and be audited against security and authentication standards established by the browsers.
An SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party has authenticated that organization’s identity. Since the browser trusts the CA, the browser now trusts that organization’s identity too. It’s sort of “cool by association.”
The browser lets the user know that the website is secure by displaying a closed padlock or, in the case of an EV SSL, that green address bar that makes people feel warm, fuzzy, and secure.
Do I need an SSL?
In some cases, you might not need an SSL. But if your site has any kind of eCommerce or even just a login functionality, you almost certainly do.
Modern browsers will even warn users they are about to use a login form that isn’t under HTTPS (valid SSL). That’s because if the signal isn’t encrypted in transit, your username and password are being sent unencrypted and vulnerable to a man-in-the-middle attack. That’s bad.
There’s also an SEO aspect to this, belive it or not. Search Engines, like Google, also want their users to feel secure. Not a heck of a long time ago, Google announced websites served over HTTPS would get a little bump in search rankings. It’s a little silly to be used as a ranking signal, but it seems to be here to stay.
How do I get one?
Just pick a trusted Certificate Authority and buy one. Then, follow their verification and installation guides to get it all setup for you.
The process is simplified if you purchase the SSL from the same web hosting company as you’re already using to host your website. They’ll often install the certificate for you, which saves a lot of time messing around with certificate requests and other nonsense.
Once you know who you want to buy the SSL Certificate from, you’ll just need to decide if you need a standard SSL or an “EV SSL.”
What’s the difference? Nothing really.
An EV SSL is more expensive, and requires a lot of extra verification steps, but it gives the browser that nice green bar in the address bar. A standard SSL just puts a black, closed padlock, but it’s much less expensive.
Here’s more info about the difference, if you care.
“Mixed Content” Errors
Once the SSL is installed and working, you can access your site from httpS. If your browser is giving you “mixed content” errors, that’s usually due to loading some resource (JavaScript, stylesheet, images, etc.) from just HTTP (no “S”). Do a “view source” and find any reference that’s just “http” and not “https.” Once everything is being loaded over HTTPS, the mixed content errors should go away.
If you’re using WordPress, these errors can be a little tricky. If you need a hand, we’re always here. Just raise your hand and ask for help.