This article is vital reading for anyone who has a business website and useful for anyone using the world wide web generally.
With almost 90% of all internet searches in the UK going through Google’s servers it’s not surprising that over the years, Google has, to some extent, led the way in softly dictating the way in which websites work and the way they are constructed. They have mostly done this through their search algorithms, ranking and de-ranking sites which meet or fail to meet certain criteria and, as good search rankings are important to any business website, web developers have had to comply. This is no bad thing. Google’s motivation is sound – to clean up the world wide web and help to prevent fraudulent or misleading websites from appearing in search results and also to make search results more relevant to the user.
Earlier this year (2017) Google raised the stakes somewhat and started to de-rank what they consider to be insecure websites and by early 2018 it is expected that they will raise the bar even further by actively notifying a user that a site is not secure and if your site is one of them, that will impact not only your search engine rankings but will also be detrimental to the image you portray to your customers and the likelihood of them doing any business with you. It is the latter which I think we should be more concerned about in the long term.
The techie stuff
When a user visits your website, they do so from a browser and it is the browser that requests the contents of a website from the web server and displays it on your computer, smartphone or whatever. This transaction and interchange between your browser and the web server on which your site is hosted is essentially plain text and can be read by anyone who may be snooping or trying to obtain your private data by nefarious means. That’s not really a big problem if all you’re doing is reading the news or browsing information. The problem comes when you are asked to enter secure information on a website such as a name, address, DoB and, of course, credit card details. Another problem is fake websites – websites which look and feel like a trusted site but exists only to commit fraud by obtaining your personal information. To illustrate how much of a problem that is, as web designers, we could turn to the dark side and build a website that looks just like that of your bank in a couple of hours and, while it wouldn’t fool the experts, it would be good enough to fool a great many casual users plus, we could capture bank account details of the unwary pretty easily too.
To reduce the risks and make things more secure the SSL Certificate was introduced way back in 1994 by Netscape. An SSL (Secure Socket Layer) Certificate changes the nature of the transaction between browsers and web servers so that the electronic data flowing in both directions is encrypted – that is, it is no longer in human-readable form but a meaningless series of characters where the decryption key is only known to your web browser and the web server it’s communicating with for the duration of that single transaction. It’s very clever technology but it’s not 100% secure as, just like any cypher code, it can be cracked eventually but, it is a deterrent which largely works well.
In theory, an SSL Certificate also requires you to confirm your ownership of your website in the real world – that is, you will receive a form by post that you sign and return to the issuing authority to confirm you are who you say you are. I say “in theory” because in some circumstances that’s true but we know of ways to make your own SSL certificate in just a few minutes, install it on our server and spoof the user into believing their connection is secure and surely if we can do it, hackers can do it faster and better. We also know that a basic level of SSL Certificate can be obtained legally which does not require real-world validation, this is called a “domain validation” certificate which is quite good enough for most websites to give their visitors and the search engines confidence but lacks the security of ‘real world‘ validation. To do this, you need what’s called an Organization validated or Extended SSL Certificate.
SSL Certificates cost money
Cynics might say the sale of SSL Certificates is just a way for someone to make more money and if you own a business website you’ve probably already had emails from your hosting company warning you of what will happen if you don’t buy an SSL Certificate using fear, uncertainty and doubt to part you from your cash. Generally, SSL Certificates for the three levels (DV, OV and EV) cost from about £20 to £100 to £200+ respectively and these are annual fees so it is expensive for a small business.
I should add that all websites we produce from October 2017 include a base-level DV SSL certificate free of charge as a service to our clients.
What it means to a user
All of the popular web browsers now indicate to a greater or lesser extent whether a website you’re visiting is or is not secure. Generally though, if a website is deemed secure it features a small padlock icon either in the address bar itself or at the foot of the browser window, or both.
This padlock icon indicates that the website is secure and that it has a valid ‘domain varified’ SSL Certificate in-place. If the padlock and the word ‘secure’ is in green it means the SSL Certificate is of the Organization or Extended variety – in other words, it has been checked and verified in the real world but, just because a site doesn’t have a padlock symbol doesn’t mean you can’t trust it. Let me explain…
If a website doesn’t ask you to enter any sensitive information about yourself and, if for example, it’s just a business displaying its wares then arguably it doesn’t need and shouldn’t have to worry about needing an SSL Certificate. Even if the website just asks for your name and address, doesn’t mean you shouldn’t trust them. When you should be concerned is when you’re being asked for personal details and credit card information then, you should check you can see a ‘green padlock’ in or around the browsers’ address bar but, then again, if the business you’re buying from isn’t apparently secure does that mean you shouldn’t trust them? Well, maybe, maybe not…
Payment providers and card processors
Most businesses, especially small businesses, don’t actually capture and store any credit card or customer details when you buy from them online. Instead, they use a trusted payment processor like PayPal or WorldPay and while it may look like the payment buttons are part of the original website, the payment mechanism is not. When you click of the “Go to payments” button you are transported to the payment processor’s website which is, and must be, of the highest level of security – Green padlock and other ‘trust’ symbols in the address bar – so the key message is, before you enter any critical data, always check you’re on a properly validated and secure website but, if you’re just browsing and putting items in a shopping basket, you don’t need to worry too much. Larger companies, like Amazon, both process and store customers’ card information and feature the highest levels of security when you enter your credit card information.
Barclays Bank Changes the Game
As I write Barclays Bank in the UK are airing a TV ad, as part of their sales campaign to attract new customers concerned about internet security and online fraud. It features the padlock symbol and encourages website visitors to not trust websites not displaying the padlock symbol. I think this is misleading to the public and will be detrimental, mainly to small business websites but that train has well and truly left the station so if your business website doesn’t display a padlock symbol, you really need to be talking to your website hosts and asking for an SSL certificate – just be aware though that many will try to inflate the costs and employ scare tactics to help you part with more than you need to. I would say that for most small to medium-sized businesses where the only personal data you might me collecting is name, email address and maybe a telephone number, then a base-level domain verified SSL certificate is all you need and you should expect to pay any more than around £75 – although that is most likely an annual charge.
Don’t be scared into parting with your money. Undoubtedly an SSL certificate attached to your website is important and will become more so in the coming year or two but, in the short term, don’t panic, do some research and look for the best options for your particular business and if you’re reading this as a user, don’t be alarmed if the website you are visiting doesn’t have a padlock symbol unless you are being asked to submit a lot of personal information and credit card or bank details. In any event, proceed with caution because it is still possible to ‘fake’ the highest level of SSL certificate if the scammer is truly determined.