Secure Socket Layer (SSL) or Transport Layer Security (TLS) refer to security technologies that encrypt data sent between a web server and web browser.
Even though TLS is more likely, the industry still refers to the process as SSL, especially when dealing with the certificates necessary to secure a website.
In the last few years, SSL certification has become more of a necessity than an option, as browsers alert users that the website they plan on visiting is insecure. From a user perspective, those who shopped online were generally savvy enough to look for ‘https’ (where the last “s” means “secure”) and ensure that a padlock symbol is present (which also implies a secure encrypted connection). It is the SSL certificate that enables these visual indicators and all certificates must be installed at the server end of a connection (over port 443).
Okay, we all realize that encryption is generally a good thing and especially important for sites that receive credit card payments. In fact, SSL is a requirement for PCI-DSS compliance. But what if you don’t sell anything on your website?
As most website owners do not want third parties intercepting any information, it’s certainly best to encrypt all connections since even data submitted on contact forms could conceivably be intercepted using man in the middle attacks. Emails handled by the site could also be intercepted in the same manner. Mailing lists and other subscriber updates… the list goes on.
Therefore, we can drink the Kool-Aid and state that SSL certificates are a positive addition to any websites. However, like anything else, there are pros and cons and you must decide how much Kool-Aid you will absorb, a sip or the whole glass.
As I’ve stated before, I don’t like to be pushed into anything, especially when the change is not driven by lack of hardware or software performance. Years earlier, when faced with continuous browser alerts about my ‘insecure’ sites, with search engine rankings also impacted, I saw the light. My hosting provider installed purchased SSL certs rather than my existing self-signed and open source alternatives. At the time, no free option was available…
As I see it, the SSL advantages include:
As the owner of a couple of low-traffic sites (I use them as a digital portfolio), hosting is my biggest expense but SSL certs were an added cost, equating to a large percentage of yearly costs. This is of course the biggest disadvantage, at least until Let’s Encrypt came on the scene with a free solution. With major sponsors and donors including Mozilla, Cisco and the Electronic Frontier Foundation (EFF), it’s not a shady solution but a free Certificate Authority (CA).
For high-traffic sites, performance may be an issue as encryption will obviously require more resources.
Choosing an SSL certificate should be an easy task, right? Do you have a ‘you get what you pay for’ attitude that would prevent you from using a free domain-validated certificate (no user information is displayed)? I have no such problem and my hosting provider offers Let’s Encrypt certificates as a free option. However, if you administer your own web server, some technical knowledge is necessary to install certs.
In the last ten years or so, SSL certification has become a nice revenue generator for a variety of companies. Let’s call them certificate authorities (CA). Their role is to verify issued certificates and most browsers incorporate root certificates of the major providers. Each CA has a wide network of resellers that offer SSL certs as premium options. Costs can vary widely, typically depending on three levels:
The number of domains and sub-domains also comes into play, with Wild-card certs necessary for sub-domains.
As indicated in W3Techs’ survey Usage of SSL certificate authorities for websites, IdenTrust (that cross signs Let’s Encrypt’s domain-level certs) is the market leader.
The question remains, do you need more than domain validation? Does it increase trust? Are users too dumb to check the domain owner if they have trust issues? Similarly, organizations can be checked online. In my opinion, if companies are relying on enhanced browser indicators to establish trust, there is a greater issue that needs resolving by marketing.
In conclusion, SSL certificates are necessary but free options are available that are universally accepted. If you really need more, ask yourself the reason why. Enhanced encryption is one acceptable answer or multiple sub-domains but the addition of a pretty green bar (EV certs) hardly justifies the hundreds of dollars needed to obtain it. Could this money be better spent elsewhere? You decide and compare costs between certificate authorities and their resellers.
An Irishman based in Hong Kong, Michael O’Dwyer is a business & technology journalist, independent consultant and writer who specializes in writing for enterprise, small business and IT audiences. With 20+ years of experience in everything from IT and electronic component-level failure analysis to process improvement and supply chains (and an in-depth knowledge of Klingon,) Michael is a sought-after writer whose quality sources, deep research and quirky sense of humor ensures he’s welcome in high-profile publications such as The Street and Fortune 100 IT portals.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites