VoIP Resources VoIP Fundamentals Cybersecurity

How to Secure a Website With HTTPS and SSL

by Margaret Joy

SSL stands for Secure Sockets Layer and is the protocol that keeps your browser session secure. Having an SSL certificate is what adds the “S” to “HTTP.”

SSL certificates are what make your browser session secure. We know that “privacy” and “security” are the hottest buzzwords around the IoT these days, but this is no mere trend—SSL is something you should absolutely have. In fact, Google has increasingly demanded SSL certificates since about 2016. And much like the gods of ancient civilizations, our modern Internet overlord unleashes punishment upon those who do not obey its demands. So unless Bing is planning a Game of Thrones-level search engine coup in the near future, we highly suggest you get on this SSL bandwagon if you haven’t already done so. Besides, not all bandwagons are bad, right?

Game of Thrones, bandwagon, Sean Bean
There’s no shame in joining the bandwagon.

What Is an SSL Certificate?

Take a look at this web page’s address bar. See the padlock icon and how it’s followed by “https://” and not “http://”? That’s because our website has an SSL certificate. Great, but how much can one little letter do? Quite a bit, actually, and we’re not just talking your best Wheel of Fortune guesses. Bear with us while we go technobabble for a moment:

  • SSL stands for Secure Sockets Layer.
  • TSL stands for Transport Layer Security. It’s essentially the same as SSL, with just a slight name change in later, more advanced iterations.
  • HTTPS stands for Hyper Text Transfer Protocol Secure. It’s that bit of the web address you definitely don’t type out. It’s just the usual “HTTP” with an “S” tacked on to indicate that the site is secure.
  • CA stands for Certificate Authority. The CA issues the digital certificate after verifying your information. What would be the point of SSL if anyone could slap the certificate on their domain?

To cut out some jargon, SSL is essentially a digital certificate that secures the connection between your browser and the host server. The updated and more secure versions are technically called TSL, but since SSL was already in the vernacular, it’s still the preferred term. Having an SSL certificate is what adds the “S” to your “HTTP”—one of several indicators that a site is secure (more on this below).

Why Do You Need an SSL Certificate?

If you’ve ever typed in an email address, credit card number, location, social security number, or any other form of personal data or logins on a website (which we’re sure you’ve done already today), you want that information to be safe, right? And if we’ve learned anything from heist movies, the best time to steal anything is while it’s in transit. Hackers also follow this Hollywood logic, as data is most vulnerable when it’s transmitting from one place to another.

The Town

Stealing information from unsecured websites is easier than finding a Ben Affleck movie set in Boston. 

SSL certificates work toward preventing this. They establish a secure connection between two systems so that you’re just as secure if you’re sending payroll info to another server as you are when you’re logging into your Twitter account. The certificates use encryption algorithms to both secure and scramble data that otherwise could be floating around the interwebs for any amateur hacker to download and read.

While data security is the main point behind SSL, it’s not the only reason you want it on your website. We weren’t kidding about Google punishing unsecured websites—they know how important Google rankings are for SEO and marketing, so they push results with HTTPS higher than those still on HTTP. Even more importantly, SSL’s visible markers promote customer confidence. The “s” in the URL, the closed padlock icon, and the green address bar immediately indicate to website visitors that their information is secure on your site, and customer trust is invaluable to any company.

Google flagged all HTTP sites as "Not Secure"
Cloudflare tracked the evolution of Google’s approach to HTTPS.

You may have seen a spike in SSL news in summer 2018 with the release of Chrome 68. As of July 2018, Google flagged all HTTP websites as “not secure.” As you can imagine, incoming web visitors faced with increasingly prominent “not secure” warnings will naturally start to question their trust in the website, and by extension, the organization as a whole. These tactics to get people on HTTPS have clearly worked since Google has shown 93% encrypted traffic as of April 2019.

If you’re at all involved in WebRTC, particularly the ability to chat in real-time with your website visitors, SSL is especially important for you. With the release of Chrome 47 (November 2015), Google released an announcement explaining why it would no longer let WebRTC work with HTTP: security is singularly important when transmitting sound and video. Essentially, Google Chrome forces secured sound and video transmissions by blocking WebRTC functionality on unsecured websites. After we released sayso, an inbound calling solution that relies on WebRTC for browser calls, we heard from clients experiencing some issues installing the sayso button—it turns out their websites are not secure. Not only does WebRTC not function on unsecured sites, but the sayso button won’t even appear!

Whether or not you implement WebRTC elements on your website, you should absolutely have an SSL certificate. Don’t be scared away by some sites charging exorbitant rates for a certificate. Securing your website can be quite simple and inexpensive—even free!

How to Check if You Have an SSL Certificate

The easiest way to check if you have an SSL certificate is to look at your address bar. Is there a closed padlock icon and https in the address? You’re all set. Some browsers will turn the address bar green as well. Chrome makes it easy to do a quick check: Click on the padlock icon and you’ll see information about that particular site’s SSL status.

Clicking on the padlock icon in the address bar tells you that OnSIP’s website is secure.
Clicking on the padlock icon in the address bar tells you that OnSIP’s website is secure.

There are also a number of sites where you can check the status of your SSL certificate, including if you have one and when it expires. All you have to do is type in your site URL. Sometimes you may have an SSL certificate but your website will still show up as not secure. This can be for a number of reasons—incorrect configuration, only partial SSL support, and insecure third-party content, among other things—but luckily, these SSL checkers will help you find any vulnerabilities before customers do.

How to Purchase an SSL Certificate

Even a cursory Google search for how to buy an SSL certificate provides an overwhelming amount of options. If there are free SSL certificates, why do you have to buy one? Do you own your domain or is it a shell? Which level of SSL certificate do you need? Who is the most trustworthy? The Internet is a large and often unwieldy beast, so we funneled the necessary information into a basic SSL how-to for you here.

There are several CAs out there, so how do you choose among companies like NameCheap, GoDaddy, or DigiCert? It’s up to you and your needs, but you can read trusted reviews of several top CAs here.

1. Decide which certificate best fits your needs.

  • Domain Validation (DV): Best used for sites that don’t collect credit card info or logins,  like personal websites, blogs, public portfolios, and the like. No documentation is required to obtain a DV; you only have to be the person who registered the domain name.

  • Organization Validation (OV): Best used for sites that do take customer and login info. This CA requires documentation to verify the site owner’s information.

  • Extended Validation (EV): Preferred level of security for sites that collect sensitive information, like credit card data, and so need the extra encryption. This CA requires documentation to thoroughly vet the site owner’s information.

2. Compile the necessary paperwork for your selected SSL certificate.

The necessary documentation varies by type of certificate, but DigiCert has an exhaustive list of what you may need. Make sure you have your WhoIs information updated to help speed up the process.

3. Once purchased, activate and then install your SSL certificate.

You can activate your SSL right after purchasing it, and the CA will provide installation instructions after the validation process is done and it issues the certificate.

After your certificate is installed, you’re good to go, but keep an eye on your expiration date so that you know when to renew. 

Having an SSL certificate is what adds the “S” to your “HTTP” and is one of several indicators that a site is secure.
One letter makes all the difference. 

Free SSL Certificates

SSL certificates can get pricey. Fortunately, a handful of CAs will issue SSL certificates for free. Let’s Encrypt is easily the most well known of these. This non-profit, run by the Internet Security Research Group (ISRG), just wants to make the Internet a more secure place, which is a lovely concept in the age of trolling and malicious comments. However, they only offer the lowest level of SSL certificates and do not intend to add OV or EV to their offerings. So if you want to secure your blog, great. If you want to secure your e-commerce site, we strongly suggest looking elsewhere.

Geekflare compiled a great list of free SSL options for your perusing pleasure.

SSL: The Key to a Secure Website

Hopefully, this blog provides all the information you need to secure your website. While Chrome has been cracking down on site security for years, the other browsers aren’t far behind. Firefox started to flag non-HTTPS websites in 2017, and Apple and Microsoft’s browsers are next to tackle SSL.

Google shames those without secured websites, and you already know how we feel about bandwagons, so if you still don’t have an SSL certificate after reading this, well, we’ll just leave this here:

SSL_shame gif
Ding Ding.
Learn more about VoIP Fundamentals