How ignoring SSL bit me in the butt
It was the summer of 2016, and I wanted to buy my mom knitting supplies for her birthday. I found a site that looked nice, it had everything I was looking for, plus fast shipping. I purchased the items and sat back, happy to have found something just perfect.
Fast-forward a few days. I get a message from my bank stating that they have closed down my account for suspicious activity. I freaked out, thinking there must be some kind of a mistake, that my card is still safely in my wallet and I had just used it earlier. I check my account to realize that indeed, I have a few hopeless dollars left on my account. The extra money that I had been saving up had been used in a Home Depot in Texas…
At that point I was just curious as to what you would so desperately need from Home Depot for hundreds of dollars – toilets, rugs, boxes? I NEED ANSWERS!
Not that it would have helped, since my account had been completely emptied out. So I started my own bit of research to try to figure out who had robbed me in broad daylight for knickknacks. I traced my steps all the way back to the knitting supply shop since the timeline of events made complete sense…
And that’s when I learned about the (in)famous SSL. You guessed it – the knit shop didn’t have a certificate.
How I embraced security
Years later, I am working at an IT company, trying to make the Internet a better place by helping businesses (shout out to the small businesses!) make their sites safe and secure, so no one has to go through the annoying hassle again.
I researched what makes a website secure and what lowers the chances of anything bad happening to your clients’ data, and this is what I found.
SSL is definitely the number one piece of security you can install on your site to make it seem, and (wait for it…) actually BE secure. All the acronyms used in IT, I think, are meant to confuse people and make it sound harder than it actually is. So just hear me out for a minute and let me try to explain how SSL works.
Let’s get the dry and boring stuff out of the way first – SSL stands for Secure Socket Layer. I just always imagine a secure sock that’s happy about being so well protected…
It is a protocol (read: a set of rules) used to establish a protected and encrypted connection between your computer and the server you’re sending information to.
Without SSL, anyone in between, who has the right tools, can see what your clients are sending. On a very high-level, encryption just scrambles up the data so no one without the right key (which only you and the server you are communicating to, have) can read. You can think of someone putting your credit card data in a safe with a key that gets sent to the server very carefully and separately, where the server can open the safe and look at the contents. Without SSL, however, your data gets sent on an imaginery piece of paper that anyone on the way can peek into, if they please.
Everything has PROs and cons - some things are just better than others.
Now, you might be asking, if I’m not asking clients to insert any sensitive data on my site (such as credit card numbers, social security number, credentials, etc.), do I REALLY need it or is it just another thing people want to sell me?
My answer is: it’s up to you, but there are many advantages that come with SSL. One big one is that different web browsers mark the site that has SSL and add an ominous-looking exclamation point and warning to the address bar. Even if you don’t put in any sensitive information, it just kind of shows that the owner of the site doesn’t care too much about safety. It can be a warning sign and I, for one, usually subconsciously avoid pages like that.
The second big bonus is getting a boost in Search Engine Rankings. It might not bump you up from, let’s say, position 381 to the top 5, but if you have a competitor and you pretty much offer the same type of services, having an SSL gives you an advantage, possibly pushing you above them.
Well… should I state the obvious? It costs, and if you’re not sure how to install it on your pre-existing site, it might be a hassle. It is probably not as expensive as you would think, though. For an example, buying an SSL certificate for your website should cost you less than or around $10 per month. Is that too much to pay for security? That’s up to you.
You can choose an SSL service with no monthly fee at all.
Let's Encrypt is a completely free SSL service that is trusted by many of the big names, including Google Chrome, Mozilla, Facebook, Squarespace, and many more.
The setup depends on the hosting service you have. We can always do some research to see if you qualify for the free SSL installation, in which case you would only need to pay for the installation, and enjoy free SSL with no monthly (or yearly) commitments. The list of companies that support Let's Encrypt SSL certificates keeps growing so the chances that your site qualifies for that, is pretty good!