SSL: Moving towards a Secure by Default Web


For the past two years, we've made sure that our websites and client websites are very secure. As I read Troy Hunt's "Life Is About to Get a Whole Lot Harder for Websites Without HTTPS", I realized that we have been on the right track and many others are following along.

One of the main things we did was to add an SSL Certificate to each site. Thankfully our Hosting Partner Wpengine makes it easy for us to install and configure an SSL Certificate the right way.

Why does a Web site need an SSL Certificate?

One of the main questions we get from our clients is why do they have to secure their website especially if it's a marketing site.

The reality is that an SSL certificate can help you build trust with your site visitors and optimize your website.

One of the most important components of online business is creating a trusted environment where potential customers feel confident in making purchases. SSL certificates create a foundation of trust trust by establishing a secure connection and browsers give visual cues, such as a lock icon or a green bar, to help visitors know when their connection is secure. ~ Digicert

What is SSL?

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. ~

So, in summary, it creates a secure connection between the web server where the website is located and the browser that is showing you the information on your computer.

Most of you see symbols on your browser letting you know a website is secure. The default in most web browsers is to show an icon and let us know a site is not secure. So it only warns us when it's safe and not when the browser is not secure.

But things are changing slowly especially for those who are using the incognito setting in their browser so they can browse the internet more privately.

How Does the SSL Certificate Create a Secure Connection?

When a visitor pulls up a website that is secured by SSL, the browser and the web server create an SSL connection known as the "SSL Handshake." It's important to note that this process happens behind the scenes and the user does not see it happen although it occurs in an instant.

To setup an SSL Connection, three keys are used.

  • Public Key
  • Private Key
  • Session Key

Anything encrypted with the public key can only be decrypted by the private key and vice versa.

This does take up a lot of resources and does impact the processing power of browser and web server for that same reason the SSL Handshake creates a symmetric session key. After the secure connection is initiated, the session key encrypts all transmitted data.

Here are the explanation and diagram from DigiCert which should help us visualize what the process:

SSL Certificate Diagram by Digicert

Image from DigiCert

  • The browser connects to a web server (website) secured with SSL (https). Browser requests that the server identifies itself.
  • The server sends a copy of its SSL Certificate, including the server’s public key.
  • Browser checks the certificate root against a list of trusted CAs and that the certificate is unexpired, unrevoked, and that its common name is valid on the website that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
  • The server decrypts the symmetric session key using its private key and sends back an acknowledgment encrypted with the session key to start the encrypted session.
  • Server and Browser now encrypt all transmitted data with the session key.

Moving towards a "secure by default" web

As I explained earlier, most browsers alert you only when a website is secure.

Also as seen in Scott Helme's article on Alexa Top 1 Million Analysis Scan shows that back in February of this year, 20% of the Alexa Top 1 Million sites were forcing the security scheme.

This presents a great opportunity for those who want to make sure they move towards securing their place. Not only are their technical benefits always of ensuring your website but this will put your site in a lower percentile of sites that are secure.

It's also clear by looking at the stats that there is a sharp jump from August 2016 which made up only 13.76%. In February a 19.96% of websites scanned were using https. That represents a 45% increase in just a few months.

What can you do to setup an SSL Certificate?

Most hosting providers have partners that allow you to set up an SSL Certificate in a few steps.

Since we are Wpengine customers, we prefer using them, and in just a few steps your SSL Certificate is setup.

We set this up as a default for our clients and depending on our clients' needs; we apply different types of SSL certificate to secure the website correctly.

Since we started doing this, we have seen increases in organic search and even conversions on the e-commerce sites we manage.

Do your sites have an SSL certificate? If not what is stopping you from making this accessible and valuable change?