Beginner's guide to understanding SSL certificates

The value of SSL certificates

Although they do offer a good layer of security, for many e-commerce sites the primary value of SSL certificates is in the trust earned from customers.

The majority of website users are now savvy enough to identify when a website is secure, looking for the padlock symbol, HTTPS URL and green address bar. They will likely refuse to enter any kind of login or their card details if there are any signs the site it not secure.

By showing that you have a valid SSL certificate, you instantly instil a level of trustworthiness and legitimacy with your customers.

It's also becoming important for search results too. An announcement by Google's Search division last August stated that it would now consider secure pages as a factor in their ranking algorithm, placing sites with SSL certificates higher in SERPS (search engine results pages).

So a more secure site is rewarded with (slightly) higher Google visibility and more customer trust, both of which equate to more sales.

New changes and updates

SSL stands for "Secure Socket Layer" and in actual fact is an old, outdated security standard. It's largely been replaced by TLS (Transport Layer Security) since 1999, though the term is still applied generically to site security certificates.

Yet some older SSL protocols do still exist, and it's these which have been the result of targeted attacks in recent years, like POODLE and FREAK. The best solution to stop these attacks employed by most web browsers has been to disable the outdated technology and insist on newer protocols.

For example, Google announced it would be speeding up the process of 'sunsetting' older algorithms like SHA-1, in favour of SHA-2. Their new policies on security certificates moving forward include displaying negative signs such as "secure with errors" and "affirmatively insecure" on those sites which have old SHA-1 certificates.

These are aimed at encouraging websites to improve their security as soon as possible.

Checking your security

One of the best ways to check your site is secure, installed and configured as it should be, is to use testing sites like Qualys SSL Labs.
Just put in your domain name, and the site will perform an in-depth check of all your security settings to make sure everything is in order.

You should be aiming for at least a B on this test. An A is fairly achievable too, as long as you're willing to block very old versions of web browsers from accessing your site by breaking compatibility with them.

It's also worth checking that your e-commerce site is up to speed too, before installing your SSL certificate. Your developer should be aware of these issues, but just in case:

  • HTTPS is slower than HTTP. Make sure your site can handle it.
  • Third party scripts and web applications will also need to be checked for their security and compatibility with SSLs.
  • Don't forget that as HTTPS is classed as a new site, you'll need to claim the URL in Google Webmaster Tools, put 301 redirects in place, and update any rel=canonical links.

If you are seriously concerned about your site security, get in touch with your web developer as there are other things which can be done too.

Whilst SSL certificates aren't the be all and end all of site security, they are a vital step in the right direction to securing you e-commerce business for your customers.

Words: Nick Pinson

Nick Pinson is the Director at iWeb Solutions, an e-commerce website design agency based in Staffordshire.

Like this? Read these!