To enable website security, you must have an SSL Certificate
Quick background . . .
Google has implemented a carrot-and-stick policy to encourage all websites to use encryption.
Since 2017, Google has been marking websites without SSL certificates (those without a padlock symbol in the address bar) as “not secure”. This warning appears on pages collecting sensitive information such as credit cards, passwords, and other user data.
When users click on the “not secure” symbol, they see a more explicit alert:
“Your connection to this site is not secure. We recommend not entering any sensitive information on this site (for example, passwords or credit cards).” — Google Chrome
This warning can significantly impact your website’s user trust, potentially causing visitors to leave your site due to security concerns.
Don’t worry, though. There’s a straightforward solution to this problem that will make the unwelcome alert disappear: implementing SSL/TLS encryption on your website.
Beyond addressing the “not secure” warning, securing your website offers several benefits, including:
- Increased user trust
- Improved search engine ranking
- Faster website loading speeds
- Protection of sensitive data
The bottom line is . . .
To secure your website, you’ll need an SSL certificate, some modifications to your website and server files, and testing to confirm compliance.
In the long run, the move to a secure Web is truly best for everyone. We fully support this change.
What is an SSL certificate?
An SSL (Secure Sockets Layer) certificate, now more accurately called a TLS (Transport Layer Security) certificate, is an encrypted text file that binds a cryptographic key to details about your organization: domain name, organization name, and location.
The certificate serves two purposes: authentication and encryption.
Since the certificate authority verifies that your domain belongs to your organization before issuing the certificate, users can be reasonably assured that the website indeed belongs to your organization. Secondly, the certificate creates a session key that encrypts the connection between users and your website. This ensures privacy, as even if sensitive data is intercepted by a third party, it cannot be read in its encrypted form.
The certificate industry landscape
The certificate industry can be confusing, with various brands and cross-marketing partnerships. Prices range from free to thousands of dollars per year. However, all certificates provide similar basic features and meet baseline security requirements.
As a buyer, the key is to get the features you need without overpaying.
A small number of trusted Certificate Authorities issue certificates. As of 2024, the top players include Let’s Encrypt, Sectigo (formerly Comodo), DigiCert (which acquired Symantec’s certificate business), and GlobalSign.
Certificates are often sold under various brands and price points, and they are also marketed by hosting companies as well as independent resellers and affiliates.
If you shop around, you can often find significant savings on SSL certificates.
The three types of SSL certificates
The primary difference between certificates is the level of validation — how thoroughly the receiving organization is vetted by the certificate issuer.
These are the three verification levels:
- Domain Validation (DV): Simple, fast, and often free or low-cost. This is what most small businesses need — a green padlock symbol and an encrypted connection. The Certificate Authority simply checks that the organization owns the domain.
- Organization Validation (OV): A deeper verification process at a mid-tier price. This is for businesses that conduct significant e-commerce. The Certificate Authority checks documents to confirm the business identity and location.
- Extended Validation (EV): The highest level of verification at a premium price. The Certificate Authority does in-depth research on your business identity and location, including cross-checking government and independent sources.
Warranties
Certificate authorities often offer warranties, essentially a form of insurance, should the certificate or the authority be breached. Free certificates typically don’t include warranties. Paid certificates’ warranties usually start at $10,000 and can go up to $1,000,000 or more.
Cost and recommendations
For most service businesses not heavily involved in e-commerce, a Domain Validation SSL Certificate is sufficient.
If your organization has multiple domains to secure, consider a Multi-Domain (SAN) certificate. For multiple subdomains, a Wildcard certificate might be appropriate.
We recommend Let’s Encrypt for most websites. Let’s Encrypt offers free Domain Validation certificates that auto-renew every 90 days. Many web hosts now offer easy integration with Let’s Encrypt.
If your hosting company doesn’t offer free certificates, you might need to pay $20 – $100 per year, depending on the provider and type of certificate.