Do I need an SSL Certificate for my website?

What is an SSL certificate?

Secure Sockets Layer (SSL) encrypts and secures the connection between the server where your website is being hosted, and the site visitor’s web browser.

SSL - Secure Sockets Layer Certificate

What are the benefits of SSL certificates?

Encryption

Data is exchanged using encryption rather than plain text which scrambles and secures it from any potential ‘eavesdroppers’.

Protection

Prevents man-in-the-middle attacks.

Trust

Establishes trust with customers and boosts conversion rates.

Google’s policy on SSL Certificates and the impact on your business

As of August 2018 in the United Kingdom, 59.69% of web traffic is viewed through the Chrome Browser (source) and Google Search Engine holds a staggering 82.85% market share (source).

For a couple of years now, Google have been on a mission to make the web a more secure place. They started off by tweaking their Search Engine algorithms to reward websites that have an SSL certificate installed, by giving them a slight boost in ranking. This didn’t mean that HTTP websites would automatically be surpassed in search rankings by HTTPS websites, but it definitely helped the SSL-secured sites earn ‘bonus points’ in the eyes of Google.

August 2014

Google Announces that SSL Certificates will improve Search Rankings

September 2016

Long-term plan to mark all HTTP (non-SSL) websites as non-secure in the Chrome Browser unveiled

April 2017

Chrome now marks HTTP pages as “not secure” if they have password or credit card fields

February 2018

Future releases of the Google Chrome browser will mark all non-SSL websites as ‘not secure’ starting from July 2018, Google Says

July 2018

Changes come into effect with the latest release of Google Chrome, websites that do not have an SSL certificate are now being marked as non-secure

August 2014

Google Announces that SSL Certificates will improve Search Rankings

September 2016

Long-term plan to mark all HTTP (non-SSL) websites as non-secure in the Chrome Browser unveiled

April 2017

Chrome now marks HTTP pages as “not secure” if they have password or credit card fields

February 2018

Future releases of the Google Chrome browser will mark all non-SSL websites as ‘not secure’ starting from July 2018, Google Says

July 2018

Changes come into effect with the latest release of Google Chrome, websites that do not have an SSL certificate are now being marked as non-secure

How will the changes in Google policy impact my website?

As of the latest Google Chrome update (version 68), HTTP websites (those that haven’t got an SSL certificate), will always display as non-secure.

New visitors could be put off by the lack of security on your website. The chances are that if they see a “Not Secure” warning in their browser, they won’t stick around. Having an SSL will give visitors instant reassurance that you care as you’ve made sure, that any data they might have shared with you is safe and sound.

Does your website have an SSL certificate but the green padlock doesn’t appear?

You have bought a certificate but your padlock is missing and the “Secure” box in the website address bar is still sad and grey. There’s a couple of reasons as to why that might be.

1. Your website is not forcing the use of SSL
It is possible that your site’s default URL is set to HTTP, therefore it is not redirecting traffic through to the secure, HTTPS version of the website. The best solution is to simply set the default url as HTTPS and introduce a redirect from HTTP to HTTPS for all traffic. Content management systems like WordPress will automatically set the redirect once you change your default site URL.

2. Mixed content
Your website might be forcing HTTPS but the content (eg. images, scripts) is not being loaded through HTTPS. An example of that would be a hard linked (absolute path) image (Example of an absolute link: yourwebsite.co.uk/images/1.jpg as opposed to a relative path: /images/1.jpg). If your website is using hard links, it’s as easy as changing all of the paths to begin with https:// as opposed to http://. Relative paths will change automatically once you force HTTPS (mentioned in point 2 above). If your website is using WordPress, the easiest fix is to install a plugin that forces all of your content to be loaded from HTTPS – we recommend “Really Simple SSL” and “SSL Insecure Content Fixer”. 

Why no Padlock? is a handy little tool we use for identifying problems with SSL Certificates. Check it out.

The Moose Verdict

Yes, yes and once again yes. We highly recommend that you get an SSL certificate for your website no matter its purpose, after all you can get a solid certificate for free using authorities like Comodo (cPanel) and Let’s Encrypt (all of our websites come free with the latter unless specified otherwise).

We strongly believe that in 2018 every serious website should invest the time and effort into getting an SSL, not only in order to add a layer of protection against potential attackers, but also help establish that initial trust with the person on the other side of the screen.

As outlined above, the intentions of Google are clear and we believe that the onslaught against non-SSL websites will continue. I personally speculate that sooner or later, Chrome will end up displaying a warning dialog every time you try to access a website without a certificate. Time will tell, but for the time being it is definitely in best interest of website owners to start looking into implementing an SSL certificate.