SSL stands for Secure Sockets Layer. In layman terms, it’s what keeps your website secure as your users use it. SSL is also known as HTTPS, or Hypertext Transfer Protocol Secure. In this post, we’ll go over what SSL does, how to start setting it up, as well as if you need it.
Side Note: SSL vs TLS
Before we dive into things, we wanted to mention that when people talk about SSL they are typically talking about TLS nowadays. TLS stands for Transport Layer Security. Both SSL and TLS are cryptographic protocols and they are technically different. SSL has historically been insecure and has recently been replaced by TLS as a web standard. However, the term “SSL” has developed into a brand that encapsulates all types of online encryption. So, we’ll continue to say SSL, but what we really mean is TLS, which is very secure.
What Is SSL in Non-Geek-Speak?
Simply put, SSL encrypts your data that is sent from a client, such as a web browser, to a server. As an example, suppose you own an online store that sells shoes. When a client enters in their shipping, billing, and credit card information, that information goes from the browser to your site’s server which handles what is done with that information. If that handoff from the browser to the server is insecure, then anyone who may be snooping around can take that information. If it’s not encrypted, then they have that customer’s complete information.
SSL does not only pertain to web browser though. They can be used on any ‘client’, which is a broad term for saying anything that a user interacts with. Another common client could be a mail client such as Gmail or Outlook.
What Does SSL Actually Do?
In very simple terms, SSL/TLS works by encrypting the information with a key that is generated by the server before the SSL certificate is installed. This key is called a CSR Key and looks something like this:
-----BEGIN CERTIFICATE REQUEST----- MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl 4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D 6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn -----END CERTIFICATE REQUEST-----
This long, jumbled key is what is used to create your certificate. After the SSL certificate is created, the certificate must be “signed” by a verified third party. This basically means that they use some method to check to make sure that you are who you say you are. Then they give you your certificate which you install on your server.
Once installed, your information is secure as long as you transmit over HTTPS. If someone tries to snoop some text you wrote in a form… say your street address:
Awesome Street 1234
It will look something like this:
And without the key, they won’t be able to decrypt it with brute force… any time soon, at least. With our current computing power it would take around 7.45319744 * 10^51 which is a loooooooong time.
Do I Need SSL On My Site?
The answer to this question is simple. If you require your users to submit sensitive information such as credit cards, billing information, shipping information, or personally identifiable information, then you need to use HTTPS. On the other hand, if you don’t send that information then you don’t need one. You can have one if you’d like (there is a small SEO boost to using HTTPS). But you don’t need one. At the time of this writing 1903Studios.com doesn’t use HTTPS because we simply don’t need to at the moment.
If I Use HTTPS Is My Website 100% Secure?
No, but it goes a very long way. There are hundreds of ways your site can be breached. These span from gaining root access to your server all the way to simply guessing your password. But using HTTPS makes it that much harder. In fact, among sites that use SSL, one of the most successful methods of being hacked is by phishing. Attackers try to manipulate people by guessing their passwords using information about their target.
What Happens If I Don’t Use HTTPS?
If you do not use HTTPS, your site will be hacked. It’s only a matter of time. It doesn’t have to be a person. It can be a virus designed to snoop, or sniff, traffic on the network that one of your customers is using. Their identity will be stolen and they will likely sue you. Regardless if you’re responsible or not you’ll have to fight it and it could potentially cost an enormous amount of money, often hundreds of thousands of dollars. Comparatively, $50 a year for a SSL certificate is chump change.
How Do I Set Up SSL?
Setting up a SSL/HTTPS can be tricky and pretty involved. Many hosting sites will do it for you and charge you a yearly fee. And depending on the reputation of the third party signer you are going with you may spend anywhere from $5 to $1000 dollars. However, generally speaking you shouldn’t pay more than $30 to $50 dollars for a SSL certificate for a year.
In fact, if you are technically savvy, you can get them for free from Let’s Encrypt. You’ll need Shell access though and if that word is foreign or scares you then you should hire someone to do it for you. If you host with AWS, and are in a participating region, you can get a SSL for free through the AWS Certificate Manager.
We typically suggest that you contact your host for options if you can’t install one yourself. They have a vested interest in keeping your servers secure so they will do it to the best of their ability. Hiring a third party for the lowest price is not recommended when it comes to security.
SSL is a must for securing your website and insuring that your customers are taken care of. SSL is very secure and can be used for a variety of methods from email to websites, and more. If you’re confused or scared of installing one yourself you can have one installed for relatively cheap. Let us know in the comments below if you have any questions that we can help you with!