An SSL Certificate is an important layer of security and provides trust. Your site needs one. It’s what puts that little lock in the browser instead of the exclamation point or i.
But why do you need it?
Well, the obvious use case is if you collect any information at all, you need to provide the layer of trust between you and the users. It’s a way to promise that no one else can listen in on private data. It wasn’t uncommon in the days before nearly ubiquitous SSL usage to run very low-level sniffing attacks on open Wi-Fi spots and harvest all sorts of information. Those attacks still work, if you’re not using a certificate to encrypt traffic. Now, when encrypted, the information gathered is a garbled mess instead of anything human readable.
Just know that what you do by encrypting traffic is keep user data safe on your website.
“Okay, but I don’t collect any information,” you say. Your site is purely informational, purely for people to browse and read and then take that information elsewhere and do with it what they will. Do you still need a certificate?
Yes, you always need a SSL certificate.
Let’s say your website contains medical information, or information about different faiths. You may have resources for those who are LBGTQ+ or resources for people questioning their faith. If someone comes to your site and they’re accessing it from a faith-based college that would frown upon those things, and you’re not encrypting the traffic between that someone and you, this could be a red flag for the college. And that would be bad for this person.
If you, instead, encrypt traffic between you and the user, anyone listening in only knows they went to the front page of your site. You have all sorts of resources. They don’t know which ones this person is looking at. All they can tell is they came in the door of the library, so to speak, not which books they’re reading.
Oh, and all safety and privacy concerns aside, Google likes it. It’s a factor in page ranking, now. So, there’s that incentive. Never mind that preventing eavesdropping is just a nice thing to do.
“Okay so I went to my host to get one, and these are really expensive. And, there’s a bunch of very confusing information on the page about how they’re not all the same and they want me to buy the most expensive one” you say, very poignantly.
We call that Sales 101. They’re not incorrect, it’s just not special either.
Sure, every SSL certificate isn’t the same. Some are more thorough about your identity check, some tout better bigger stronger encryption.
But, here’s the secret: Any certificate authority that has 2048-bit encryption (hint: all of them) is perfect.
One certificate authority has a special room with a wall of lava lamps that they take pictures of every few seconds and then convert the data that makes up that random picture into a private key for an SSL certificate. The picture is always truly random, and so is the certificate.
Another just generates one with a quick and easy key generator.
Is one better than the other? Strictly speaking, yes. In practice, however, both encryption keys will take until the heat death of the universe to crack. There is no practical difference between these two generation methods and the certificates used are as secure as one another.
One certificate authority has you send them your driver’s license and proof of address, and all sorts of things to verify you are who you say you are.
Another just lets you fill out a form with a packet of legalese that informs you can be sued into oblivion for lying on it.
Is one more trustworthy than the other?
Well, considering I can sign up and register an entire website in someone else’s name without so much as anyone blinking, and then create a google my business listing that exists inside of the White House (it turns out you can just verify your business with a cell number), you tell me how useful the triple signed SSL certificate that no one ever actually checks is.
Also, Google doesn’t care as long as it’s from a trusted certificate authority and has 2048-bit encryption.
“So, I just get the cheapest one, then?” You ask.
Yes. You get the free one.
“That’s not an option,” You say.
Oh, but it is! Your host wants to sell you stuff. They’re a business. But you have full authority to just put an SSL certificate from Let’s Encrypt on your site. In fact, here’s a handy blog post about how to do it on hosts that don’t provide the option. That guide is for GoDaddy specifically, but there’s guides for every host out there.
Let’s Encrypt is an open source effort to provide SSL certificates to anyone who wants or needs one at no cost. Because encryption should be free and easy, in their opinion (and mine).
There is but one thing to remember. You will need to either manually renew the certificate as it runs out, or setup an automated renewal process. Hosts that support Let’s Encrypt have fortunately taken care of the automation.
If you feel you can afford to pay your host to automate the certificate process for you for a small fee, do so, certainly. Or just have your website managers do it. It’s a thing I do a lot.
SSL is very literally free, and actually very easy to set up. You have incentive from Google, and incentive to keep information private and safe for your users. So make sure when someone browses your site, or a site you manage, that the little lock in the corner is active and working.