Websites store sensitive information for many different reasons, the most common being when a visitor registers for a new account, updates account information or when a payment is made. This information is captured on the front-end of a website usually through a form or other graphical interface, and then handed off to the back-end for processing and storage. This space where the hand-off of sensitive information from the browser to the web server takes place is what a Secure Socket Layer (SSL) is designed to protect. Without it, hackers can very easily intercept all of the data passing through.
SSLs come in all different shapes and sizes, but will always show up in a web browser with a lock icon and the domain name having the HTTPS precursor when properly installed.
As a healthy dose of internet personal safety, be sure to always check that an SSL is properly installed (by looking for that lock) before signing up for or logging into any service.
What is a SSL Certificate?
An SSL comes in 2 main parts, a Public and Private key. When logging in or signing up the Public Key used on the frontend browser will encrypt your data and send it over to the web server backend. In order to decipher the encrypted data you send over the browser, the web server holds a Private Key that can decrypt it. Even though hackers can download the data by intercepting the network traffic, the data collected will be useless to them since they do not hold the Private Key which is necessary to decrypt your sensitive data.
…and with a little more detail
Issuing a Certificate Signing Request (CSR) is the first step in the process of creating a new SSL. It generates a data file that can be executed on a webserver. A CSR data file holds the public key, which is sent to a Certificate Authority to issue the full SSL certificate. With the issued SSL certificate, the next step is to install it. Once installed your web server will hold the private key and now be able to validate the SSL certificate and form a secured and integrated link between the frontend browser public key and backend web server private key.
What is a SSL Certificate Authority?
Certificate Authorities issue trusted certificates. According to w3techs on a survey in November 2017, the biggest Certificate Authorities that issue SSLs are Comodo, Identrust and Symantec. Being the market leader in issuing SSLs, Comodo controls close to 40% of the market share.
Why should I bother if I run a small blog?
Although small blogs don’t usually store a large amount of sensitive information, they always store at least some – even if it’s just the owners. Some in our view, and in Google’s view, is enough to warrant a push towards proper security for any and all sensitive data on the web.
Google has taken action and announced that by October 2018, any website without an SSL will be viewed as unsafe. Having an SSL will therefore become a hugely important search engine ranking factor.
Leading the charge and backed by large tech companies such as Google, Facebook, Mozilla and Cisco, is Let’s Encrypt. A Certificate Authority that issues free SSLs. Although their certificates have a shorter life span of only 90 days, the automated renewal process has been fine tuned to the point of being able to deliver incredibly secure and reliable SSLs through Let’s Encrypt.
Exceptions exist for EV SSLs or WildCard SSLs which still carry a cost, due to third party verification needing to be carried out before issuing. But for just about all websites out there, Let’s Encrypt is exceptionally well suited to be the SSL of choice.
At BigScoots we’ve become a Let’s Encrypt partner and believe in everything they are working towards. We support a more secure internet for everyone, and best of all, it’s free!
Contact us any time for help getting your domain setup on an SSL (HTTPS) today! It is always free, and we’re always ready and waiting!
Written by Scott
CEO & Co-founder