SSL is the Secure Socket Layer, a protocol of Internet communication that encrypts data leaving point A and decrypts it when it arrives at point B. The entire purpose of SSL certificates and HTTPS usage is to make data difficult or impossible to use if it’s intercepted. If, for example, there was a malicious server between point A and point B, that logged and saved all data passing through it, data encrypted by SSL would be impossible to use.
For this reason, SSL is by default required for virtually all financial transactions online. Consider a more physical scenario, one that isn’t really feasible but which illustrates the point. Say that you want to buy something from a store. You select your item and stand next to it in the aisles. You then write down the item name and product number on a piece of paper, put your credit card on top of that paper, and hand it to someone walking down the aisle. They bring it to the end of the aisle, where it is handed off to someone else, who brings it to the front of the store. At the front of the store, someone else takes it and brings it to the cashier. The cashier then rings up your transaction.
Would you shop at a store that used that process? Ignoring, of course, the inefficiency of the transaction compared to traditional shopping. I wouldn’t. Anyone, at any point, could simply look at your credit card and take your number, name, confirmation code, expiration date; everything necessary to use it for their own ends.
The Internet works like this analogy. You don’t send your data directly to the shop in question. Instead, your communication passes through several servers and hubs along the way. There’s one in your house, if you have a router; it passes data from several computers to one Internet connection. There’s another, similar router at the street level, servicing the data from your neighborhood. There will be another serving your area of town, and so on until you reach an Internet backbone. Then your data has to go through the chain on down, until it reaches the server hosting the website. You just don’t see any of this data passing because it happens incredibly quickly.
Now imagine the same scenario, except your credit card is sealed inside an opaque box that cannot be opened except by the cashier, who has a special key only they have, and that fits only that box and no other box. You can be assured, then, that passing your order and credit box along the chain is perfectly safe; no one except the cashier can read your credit card information.
That’s how SSL works, and if you can’t see the immediate benefits to security, I’m not sure what to tell you.
That being said, lets learn about the intricacies of having SSL certificate on an eCommerce site:
SSL Doesn’t Secure Sites or Computers
If you’ve been paying attention and analyzing the ridiculous scenario above, you’ll note two problems with the SSL black box scenario.
The first is the moment when you take your credit card out of your wallet or purse and put it into the black box. This is analogous to when you type in your credit card information on your computer. There’s nothing preventing someone from watching over your shoulder, or knocking you down and taking it, as keyloggers and viruses do on your computer. Typing data onto your computer is only as safe as your computer itself. If you don’t have a virus scanner, a firewall, or any kind of protection against malware, your information can be logged and stolen before it ever leaves your computer.
The second is the moment the cashier opens the box and adds your credit card information to the pile. Most websites – cashiers in this analogy – store credit card information to make it easier for returning customers. The idea would be that the next time you want to make a purchase at the same store, you don’t need to go through the black box scenario, you just send in your order and the cashier fishes your card out of the pile.
If there’s someone else with access to that pile, or if that pile isn’t secured in a different black box of its own, your information – along with the information of hundreds, thousands or millions of others – can just be stolen. SSL doesn’t protect you from having your information stolen from the company that has it, and no company is secure. Just look at that link, see what large companies you can spot with huge data breaches. AOL, TJ Maxx, Sony, Ebay, JP Morgan; they’re far from alone. A study run last year indicates that as many as 43% of all companies in the U.S. experienced a data breach in the previous year alone.
The Business Perspective
With all of that in mind, why use SSL? If it’s apparently so easy for hackers to break into your system and steal user information, it’s probably better to not store it at all. If it’s easy for users to be infected and lose their information that way, why bother protecting it in transit?
This is a very nihilistic view, with one good point. On one hand, it’s probably a good idea to just not store user information if you’re at all worried about it being compromised. The problem with this is when it comes to user support; if you have no record of transactions, you can’t help your users when an issue comes up. If you don’t store credit information, you can’t issue refunds.
If you experience a data breach, that’s a bad thing. However, if you have your servers and databases encrypted sufficiently, that data is valueless to the hackers. The current standard of strong encryption is virtually impossible to break; it’s easier to kidnap and interrogate someone for the password to decrypt it than it is to use computers to guess that key and have it decrypted independently. Of course, that’s not SSL; that’s server security, a whole different business.
So, why protect the data in transit? One reason is that it’s just good practice. You don’t want to be That Business that lets users just throw their credit card information to the wind. You might as well just walk to a random person on the street and hand over the credit card. You have about as much chance of it being used inappropriately.
Another reason is that if a hacker ever notices that your company doesn’t use SSL, it’s a big red flag. They figure if you’re not using that security, maybe you’re not using other security. It makes you a target for further, worse data breaches. Using SSL then protects you from casual attacks of opportunity.
Do You Need SSL for Purchase Pages?
This is the first question you need to ask yourself. Do you need SSL for the pages where a user clicks to send sensitive information? This includes login pages and purchase pages, by the way.
The answer is an unequivocal yes. Yes, you need SSL for these pages. There is no reason, at all, ever, for you to not use SSL when a user submits any information more private than their name. Even that should be encrypted, realistically.
There’s one and only one exception to this, and that’s if you do not use any sort of login or purchase system yourself. If the only way people can log in to your site is through Facebook, and the only way they can purchase from your site is through PayPal, you don’t need SSL. The reason for that is that the Facebook login system and the PayPal payment system are themselves already encrypted. There’s no point in that transaction where you process or handle the information, and thus there’s no point where it’s not encrypted.
There are a wide range of SSL providers, ranging from GoDaddy to VeriSign to GeoTrust. Prices can range from $150 per year to $700 per year or more. It’s not a minor cost, but it’s not a cost you can ignore. “It’s too expensive!” is not, and never will be, an excuse to compromise user security. Don’t believe me? Just check out how much it costs to recover from a data breach. In retail, the best case scenario breaks down to $105 per individual customer record lost. Lost 100,000 customer profiles, and you’re suddenly out ten and a half million bucks. That’s the cheapest calculation for retail; for the healthcare industry, it can be as much as $359 per record.
Do You Need SSL for the Rest of Your Site?
The next question, and the more serious question, is do you need SSL on the rest of your site? Does your blog need SSL? Do your product pages need SSL? Does your homepage need SSL?
The answer to this is a resounding “it depends.” It’s really up to you, though there are some good arguments for doing so. There are also some good arguments against. Let’s take a look at the factors that go into the decision.
- SSL only protects data in transit. Again, if you don’t have proper security on your website, and the user doesn’t have proper security on their computer, SSL is only slightly effective. Think of it as one piece of a puzzle. Without the other pieces, it’s not really doing much for you.
A similar concern is the type of data you’re sending. No one, anywhere, wants to steal and maliciously use the list of websites a user is visiting. No hacker wants to steal your Google Analytics data. It’s not profitable or useful to them in any way, so they don’t bother with it. If your site isn’t handling sensitive data, there’s no reason to secure that data handling.
- Uneducated users are often told a site is only secure when the SSL padlock is present. I‘ve often seen security primers directed at novice users and older users telling them what to look for and where. Many users, then, will be skeptical about the security of a site that doesn’t have that fancy little padlock or, in the case of Firefox, the big green indicator in the address bar. Thus, you’ll be losing out on the trust of a non-insignificant percentage of your users by not having SSL implemented, which is what gives you that bit of security verification.
- SSL can slightly slow down a site’s responsiveness. The way it works is that each time a user wants to send data to your server, their browser and your server need to reach out and compare SSL certificate information. If the data conflicts, the connection is blocked. If the data matches, the request is made. All of this takes place within a fraction of a second, but it’s necessarily slower than a non-SSL connection, which eliminates that initial handshake.
In the vast majority of cases, the slowdown is measured in milliseconds. Virtually no user in any situation will ever notice.
- SSL certificates often come with warranties to reimburse customers for compromised data. This is by no means meant to be abused, of course. It’s just a fallback in case there is a data breach. It’s a sort of “we know you were doing everything you could be reasonably expected to do, so we’ll help you recover.” If you’re not using SSL, it’s like a bank not having FDIC backing.
- SSL security seals are an added layer of verification proof to make users more confident. When we talk about trust and verification, we talk about social proof, and the logos of client businesses, and numbers of subscribers, all for landing pages. When it comes to a purchase page, something more is required, and that’s where a VeriSign logo or another trusted security company logo comes into play. The presence of one of those logos helps users maintain confidence in your payment process.
- If a certificate expires or doesn’t match, it can cause errors that make your site inaccessible. Web browsers will put up a page that warns you that the security certificate is expired or invalid. Users, if they trust you and know what they’re doing, can add a security exception to continue browsing your site. The problem with that is two-fold, however. First, not all users will be willing or able to do so. Second, it browses your site without security, and if a user then tries to convert, they’ll be sending their information without security.
- Google has determined that having a secure site is a beneficial ranking factor. As of August of 2014, Google made it beneficial to your search ranking to have SSL on every page on your site. This was part of a general campaign to try to secure the Internet, in response to some large, high-profile data breaches.
- On the other hand, the beneficial ranking adjustment from SSL is very minor. It varies from site to site, but some studies have been done indicating that the benefit of SSL is very minor compared to many other SEO moves you can make. There’s also the potential to lose traffic, but I’ll cover that in the next section. The bottom line is that you shouldn’t implement SSL just for the SEO benefit, you should implement it for all of the other benefits you get out of it.
- You can lose traffic in the URL change from HTTP to HTTPS. The way Google works, the URL is the unique identifier for the page. If the URL changes, it’s functionally a different page, and Google treats it as such. That means any benefit to the old URL is not passed to the new URL. Going from HTTP to HTTPS is a change in URL, and as such, it is a change that causes a loss of organic traffic.
The solution to this is to use a 301 redirect from the old URL to the new URL, which will pass most of the search ranking over. You will lose a little bit, but that’s unavoidable.
- The NSA potentially has a back door into HTTPS, and the FBI is lobbying against encryption. This is a big political debate, and the facts are few and far between. The NSA may or may not have a way to crack encryption. The more important debate is over the FBI wanting a law enforcement backdoor for all encryption, which would effectively destroy its ability to secure anything. Unless you naïvely believe that no law enforcement key would ever be leaked or used for any purpose other than within full compliance with the letter and spirit of the law. If you believe that, well, try not to ever read a history book.
- If you aren’t using SSL, you lose referrer data from traffic from a site that does use it. Any referrer data is stripped when passing from HTTPS to HTTP, so any traffic coming to your site from a site with HTTPS is listed as direct. This can skew your analytics, and makes it much more difficult to track where traffic is coming from, to know how your link building efforts are working.
- Some web applications you might use for your business aren’t configured to use HTTPS. Most modern apps work with HTTPS, or even require HTTPS to function properly. Some older apps, however, won’t work when the additional layer of security is required.
In the end, the choice is yours. I recommend SSL on every page of your eCommerce site, for the sake of security, and because a more secure web is desirable for everyone involved.