The web is inherently insecure. With just a little research, even a first-time hacker can teach themselves to “listen in” on the information sent to and from a website, such as passwords or credit card information. They can also “spoof” a website, causing a user to connect to their fake duplicate site and enter their sensitive information into the waiting trap.
No matter how secure your server and databases, good code can’t help you if a customer’s information is intercepted before it reaches your server.
That’s what SSL certificates are for. They won’t make up for a poorly secured database, but they do safely shepherd information from your customer’s computer to your server. They prevent attacked from “listening in” on the information as it is sent to you. If your site accepts credit card information, health information, or information that could be considered private by anyone of any kind, you should purchase an SSL certificate and have it installed by a qualified web developer.
Prices range from $10 a month to about $250 a year. Some certifying authorities will not grant you an SSL certificate without first doing an audit of your code to make sure that once they safely steward the information to your site, you then handle it in a secure manner upon its arrival.
How does an SSL certificate work?
The process has many steps and is quite technical, but here’s a simplified version:
A Certificate Authority is a third party company generally regarded as “trusted”. Large technology players such as Microsoft and Google conduct periodic audits of Certificate Authorities to make sure that their security procedures are kept tight and that they are playing by the rules. You apply for an SSL certificate with a Certificate Authority. They then work their magic and create two special encryption codes unique to your website. One of these codes is considered public, and the other is private.
When a visitor connects to a site secured with an SSL certificate, they are given the public key. The public key only encrypts information, it does not decrypt it.
Before sending any information to your server such as a password, the customer’s browser uses the public key to encrypt the message. Now anyone listening in to the transmission will see only a garbled mess being sent to you.
Using your private key, your server can decrypt the information that was encrypted with the public key once it has safely arrived.
How do I know if my information is being correctly secured by an SSL certificate?
Every major browser provides a method of telling whether a third-party Certificate Authority can vouch for the identity of your site (that it is not a fake or a spoof) and whether the encryption keys have been properly installed and are still current. This is represented by a lock icon in the address bar like this:
Clicking or hovering over this lock icon will provide the user with more information about who the certifying authority was and what variety of encryption is in use. If there are any problems with the certificate or with the way it is installed, the lock will change from green to yellow or red, and appear broken. No picture of a lock means that there is no certificate at all, valid or invalid. The majority of informational websites are this way.
Many customers double check to make sure that their connection to your site has been secured before they are willing to enter sensitive information or make online purchases, with a simple glance at the address bar to see if you have a valid lock icon.
Getting a valid SSL certificate is not just a way to put consumers’ minds at ease — It is also the right thing to do. Plus, if the unthinkable happens and you find yourself in litigation over your security procedures you will be able to show that you took reasonable precautions to protect your customer’s sensitive information.