Do I need an SSL certificate and how to get it
Since 2014, Google has been convincing website owners to set up a secure connection by installing an SSL / TLS certificate. But not everyone agrees with this. Let's analyze all the pros and cons and tell you how to get it.
Google insists on HTTPS
HTTPS was introduced to the Internet standards in 2000. But the peak of interest in the topic came in late 2013 - early 2014. Then there was news about Google's intention to take HTTPS into account in search results. In August 2014, the company confirmed the rumors by publishing an article on the webmasters blog. It had a clear message: HTTPS is a ranking factor because it ensures the security of data transmission.
For the community of webmasters and website owners, the news from Google was supposed to be a signal: if you want to be in the top of the search results, connect a secure connection. But there were provisos: while the factor is taken into account in less than 1% of all requests and even there it has less weight than, for example, the uniqueness of the content. Although it has been said that the factor may gain more importance over time, there has been no massive transition to HTTPS.
Later, the company began to operate through Google Chrome.
- Since January 2017, the browser has started flagging HTTP pages that collect passwords and credit card information as insecure.
- In October 2017, Chrome 62 was released, which considers unsafe HTTP-pages that collect any data - email addresses, logins, etc. And in the "Incognito" mode - in general, all sites without SSL.
- In July 2018, Chrome 68 will be released, which will mark all HTTP sites as untrusted. Studies have shown that people do not notice that there is no sign or are completely "blind" to such warnings. From July, the marking will look like this:
Such markings are hard to miss.
In general, the movement to move to HTTPS comes from the CA / Browser Forum, which includes CAs, manufacturers of browsers and other applications that use SSL / TLS. Attention, overload! How to protect your site from DDoS attacks.
Formality or necessity
Google Chrome is used by 55% of Internet users, so webmasters have to reckon with Google's opinion. However, many of them disagree with the IT giant.
Main arguments against:
- Not all pages on the Internet contain or collect sensitive data, the interception of which can be painful for visitors;
- The impact of HTTPS on page rankings in search appears to be insignificant;
- HTTPS connection requires the purchase of an SSL / TLS certificate, which makes some people think of another extortion of money.
Therefore, many webmasters simply ignore the recommendations of the company.
Arguments from Google
It is a misconception to consider HTTPS as necessary only for sites that process sensitive data. That's what Google thinks. Here are the main arguments.
Interception of any data is dangerous. Each unsecured HTTP request can reveal information about the interests and behavior of users. By aggregating actions on different sites, attackers draw conclusions about their behavior and intentions, and also reveal their identities.
One more point. Having penetrated the connection between the site and the user, an attacker can not only steal, but also replace information. It is as if the postman would open letters and rewrite them. Hackers add viruses, advertisements for porn sites or illegal goods to HTTP pages. The user thinks this is your site. HTTPS protects against such stories.
The protocol is needed for "progressive web applications" - sites that work like standard web pages on a desktop and like applications on a mobile or tablet. They are reliable, load fast, and work offline.
Therefore, Google believes that HTTPS is the future of the Internet. Since 2015, it can be provided for free with Let’s Encrypt, a certification authority sponsored by Google and others.
SSL is needed if you:
- collect confidential user data (passwords, bank card details);
- want to remove some of the buyers' objections before buying;
- do not want fraudsters to take advantage of the vulnerability of your site;
- you are working on SEO and everything is important to you, even the minimal factors of increase in the SERP.
Difficulties may arise when connecting an SSL certificate:
- Temporary demotion in search results. An indexing robot perceives a resource that transmits data over two different protocols as two different sites. Therefore, when switching to HTTPS, a decrease in website traffic from search is possible. If you follow the recommendations of Yandex and Google, the positions in the search results are restored.
- Increase in the volume of transmitted traffic. Encryption increases the amount of information transmitted. However, most providers provide hosting without restrictions on the volume of transmitted traffic, so you probably won't need to switch to a more expensive tariff.
How to choose an SSL certificate
There are several types of SSL certificates. We have already written about them in more detail, so let's go through the thesis. The choice depends on whether the site is owned by an individual or a legal entity, as well as on the number of sites and subdomains.
The owner determines the level of verification that a site needs to pass to obtain an SSL certificate.
Regardless of the type, the SSL certificate performs the main function: it encrypts the transmitted data and eliminates the notification of an unsafe connection.
If the resource is owned by an individual, then only a Domain Validation (DV) certificate can be installed on it. This certificate confirms ownership of the domain and nothing else. To check, you need mail on the site's domain. Free DV certificates are issued by the Let’s Encrypt trusted authority.
If the site is owned by a company, there are several options:
- Business card site of a company or organization. The site does not collect any payment information. This is for information only. In this case, a certificate with a Domain Validation level is suitable. It encrypts data, removes the unsafe stub in the browser, and that's it.
- Sites of banks, payment systems, chain hypermarkets or mass media. The site collects money or data that gives access to money. To gain access to money, scammers can copy it. Therefore, you need an Extended Validation (EV) certificate. It can only be obtained by the real organization that owns the site, its name and type of activity will be indicated in the certificate. A green bar with the name of the company will appear in the browser line.
- Small online store, website of a charitable foundation, forum. The site is not interesting to scammers, but customers may want to verify the existence of the organization. Here you need a certificate with Organization Validation (OV). Name of the organizationwill be reflected in the certificate, a green lock will appear in the browser line.
The presence of SSL certificates is shown not only by Google Chrome. It is also displayed by Yandex Browser, Microsoft Edge, Firefox, Safari, Opera.
Number of sites and subdomains
- One site and several subdomains (Wildcard, WC) - * bestsite.ru, * forum. bestsite.ru, * blog.bestsite.ru, etc.
- Several sites (Multi Domain, MD) - * bestsite.ru, * bestsite.com, * perfectsite.ru. If there are two or three sites, it may be more profitable to buy several SSLs with support for one domain: it is more difficult to install and renew, but several times cheaper.
How to choose a certification authority
You went through the steps above and it turned out that you need a multi-domain SSL certificate with an OV verification level. It remains to choose where to buy it. SSL is issued by certification authorities (CA). They confirm the authenticity of encryption keys using electronic signature certificates.
A list of all trusted CAs is published on the CA / Browser Forum website. Top 10 SSL Issuing Centers can be viewed at w3tech.com. From the user's point of view, there is only one significant difference between CAs - the price of SSL certificates. Based on our experience, we can make several comments, but they are not confirmed by any research. Be warned, these are just our thoughts.
Price is not an indicator
SSL certificates are not the same as with bread or a car: more expensive does not mean better. All trusted certification authorities issue SSL certificates according to established standards, so there is no point in paying extra for the brand. The big difference in price is explained more likely by the marketing policy of certification centers: some are aimed at corporate clients, some are only interested in Western markets, and some want to sell as much as possible and therefore reduce the price to a minimum. Therefore, it is reasonable to choose by price. It is also reasonable to use the websites of intermediaries (like LeaderTelecom, FirstSSL or ISPsystem) to compare prices: often SSL certificates are cheaper there than those of direct sellers.
The brand does not guarantee reliability
The certification authority can lose confidence or simply fall apart. This has already happened. At the same time, the eminent name does not guarantee anything. Symantec's SSL certificate division has recently lost credibility. At the same time, Symantec, one of the leaders in the field of software production, continued to exist. Buyers of certificates from Symantec have not lost money: since December 2017, SSL of the Symantec group has released DigiCert. They can still be purchased and installed.
A note about Comodo
Another note from our experience. Comodo is the most popular certification authority in the world today. This CA issues certificates quickly, it has some of the cheapest certificates and the fastest issuance. At the same time, certificates with organization verification or extended verification are issued only after purchasing a DUNS number. Because of this, the certificate is several times more expensive. Other CAs do not have a similar requirement.
How to get an SSL certificate
The collection process depends on the place of purchase. The universal story goes something like this:
- Choose SSL on the reseller's website or at the CA.
- Enter the required data. Required: domain and email address, contact person's phone number. This is enough to obtain DV certificates. For OV or EV, you will need information and documents confirming the legal existence of the organization and the compliance of the activity with the declared one (TIN, extract from the Unified State Register of Legal Entities, mention in publicly available reference books like nalog.ru or yellowpages.com and others).
- Receive an activation letter by email, follow the link.
- Get verified (from 20 minutes to several days or even weeks, depending on the type of SSL). At this time, the CA may request additional documents.
- Receive certificate files by mail. Install.
How to install SSL
The SSL certificate is installed in the web server configuration files (Apache or Nginx). Installation instructions are sent by the certification authority. The process is simplified if you use the web server control panel - ISPmanager, CPanel, Plesk and others. For installation instructions, see the panel builders' documentation.
After configuring the SSL certificate, you need to deal with the search engines. First, add a site accessible via the new protocol to the list of your sites in Yandex.Webmaster and set up a site mirror following Yandex's recommendations. Then add a new address to Google Search Console, according to Google's recommendations. Configure a redirect from HTTP to HTTPS for the domain in the web server control panel.