Our Lisa Godare (one of only three women in the United States with the esteemed title of Drupal Grand Master!) has a 19 year old son enrolled in a multimedia degree program in college. One of the required courses is in web design; this course used to have a development prerequisite, but hasn’t been rewritten since the prerequisite was removed. As he’s not a development major, he had a lot of questions and, lucky for him, his mom is a Grand Master! Through a series of text messages (college student, remember!), Lisa educated her son about website security and SSL and then turned the text thread into the blog below!
SSL stands for “Secure Sockets Layer”, but what does that mean, and why do we care?
In a nutshell, this is a layer of security for your website. Technically speaking, SSL is an old term, and we actually use a newer technology called Transport Layer Security (TLS), but the abbreviation SSL has stuck around and we tend to use it when we mean TLS.
By default, websites are not secure, and anybody can read the data being sent between your browser and the website’s server. Many web hosts do provide an SSL/TLS certificate out of the box, but many still do not, or they charge extra for it.
Without it, when you log in to your content management system (CMS) backend to create or publish content, or one of your site visitors completes a purchase transaction, that data is being sent in the clear. It’s like sending a postcard in the mail with this sensitive information written on it for all to see.
SSL/TLS allows your browser and the website to encrypt the data. Remembering creating and using cyphers in grade school so your teacher couldn’t read the notes you and your friend were passing? Just like that, except the encryption on the Internet is significantly more sophisticated. This would be more like sending your login information or credit card details in a sealed envelope.
Obviously, log in details and payment details should be secured, but any web form that collects personally identifiable information (such as name, email address, phone number, mailing address, etc) should also be protected. In the United States, federal and state laws have been enacted requiring protection of that information, so you must use SSL/TLS if you collect that sort of data.
Since July 2018, the Google Chrome browser has been identifying sites that do not have an SSL/TLS certificate with a big “Not Secure” warning in the URL bar. Site visitors will be able to easily see if the site is secure. With a certificate and correctly configured site, visitors will see a green bar and a lock icon. This can boost your visitor’s trust and confidence in your site.
Google Search has also been giving sites with SSL/TLS a minor SEO ranking boost since 2014.
Finally, a secure website can be as much as 70% faster than an insecure website. There are a lot of variables that go into this including the specific server technology used, so most sites will probably not experience that much of a difference, but a site can potentially see an improvement that large.
OK, we get it. SSL/TLS is kind of a big deal. How do we know if we need it, and how do we get it?
It’s pretty simple to check. Visit your website, using the HTTPS protocol – e.g., https://www.example.com. The “s” here stands for “secure” and requires the SSL/TLS certificate.
If your site loads, you have an SSL/TLS certificate. If it doesn’t, you may need to acquire one or correctly configure one that you already have. If you aren’t sure, you can always ask your web host or your project manager at Fíonta! They will know.
You’re not done yet though. If your site does load, and even if it shows a green bar and a lock icon on Google Chrome, you still need to check the HTTP version of your site – e.g., http://www.example.com
If this loads and does not redirect to the HTTPS version, your site is still vulnerable. It can still be accessed without SSL/TLS and easily bypass the security. You’ll need to make sure your server is configured to enforce HTTPS for your site. This is something that will need to be done by your web host or your web developer. Many hosts will do this automatically when installing your certificate, but again, many do not – so even if you already know you have a certificate, you should still check that HTTPS is enforced.
A big thanks to Lisa’s son for asking such an important question and for Lisa providing her text transcripts in blog format!
Fíonta’s hosting partner, Pantheon is the only hosting platform to include fully managed and free HTTPS certificates, automated backups, and one-click updates for all hosting plans. Learn more about Pantheon’s web hosting capabilities and how Fíonta can assist in hosting migration.