Do you need an SSL Certificate for your Website?
In 2021, the short answer is yes, and it is a must to get an SSL certificate for your website. Of course, there are a few cases where it would be okay not to go through the hassle to get an SSL certificate. For example, if you are just running a blog for users to read (and nothing else), then you do not require an SSL certificate. You are not asking for any kind of information from anyone; or if you don’t have anything sensitive on your website. But such cases are rare these days. If you are running a blog, you would want to monetise it, make it popular, put up ads, and so on.
Getting an SSL certificate is not as tedious as you think. Generally, your WebHost will manage to get a certificate for you. It will help you in establishing secure communication channels with anyone that visits your website. Why is this so important? Because you care about your visitors’ and customers’ privacy and safety on the internet. An SSL encrypted communication channel will safeguard the connection from any hijacking attempts and data thefts.
It is important to note that this would not prevent any direct attacks on your website, such as a denial of service attack. SSL is only meant to safeguard server-client connections. So yes, you will need other safety and security plugins for your website.
Let’s get to know what SSL is all about.
What is SSL?
SSL stands for Secure Sockets Layer. Although it is widely popular as SSL, we actually are in the age of TLS (Transport Layer Security). It is nothing but an upgraded version of SSL which serves the same purpose. Though it is still widely popular as SSL.
SSL functions around encryption keys that encrypt the data that passes through a communication channel. It is to protect the data from getting hijacked by hackers and criminals. This is generally known as on-path attacking. In this method, the hijacker/attacker places themselves between two devices i.e. the browser (client) and the server. Such an attacker can steal the encrypted keys used for communication, impersonate themselves, and steal data.
Let’s see more about how the SSL/TLS system works.
How does SSL/TLS work?
When we talk about encryption in SSL, it is the process of converting the data in some kind of gibberish, send it over to the other party and they can decrypt it. How is it done? You need an encryption key to decipher all these messages. In other words, the two parties have to share the same key to encrypt and decipher the messages.
SSL/TLS encryption is really a complicated process but in essence, this is generally how it works out:
- The process begins with a TLS handshake (source: Cloudflare), where the two parties open a communication channel and share a public key with each other.
- This process happens through an asymmetric public key exchange, where some mathematics is involved to generate a ‘shared secret’.
- This shared secret is your temporary key – widely popular as ‘session keys’ – that encrypts and decrypts the communication shared between the client and the server. This is the symmetric encryption method.
Now, you’re ready to send and receive HTTPS traffic freely through this secured channel.
TLS also ensures that the website you are communicating with is authentic; that they are who they claim to be. It also ensures that the data is true, and has not been altered as it transmits data with the message authentication code or MAC (Source: Wikipedia).
There are mainly two processes involved in making this process happen: Symmetric Encryption and Asymmetric Encryption. To understand how asymmetric and symmetric encryptions work respectively, take a look at the diagrams given below:
Image(s) credit: The SSL Store
A little more about Asymmetric Encryption: Diffie-Hellman and RSA Key Exchange methods
This is a little section we would like to add to this article as these videos are really very simple to understand and interesting. If you are interested in cryptography in general, we recommend you watch these videos.
Asymmetric encryption is necessary to exchange the ‘shared secret’ or the session keys within the client and the server. This is generally done with the ‘Diffie-Hellman’ Key Exchange or RSA Key Exchange. If you want to know more, Dr Michael Pound gives a really good explanation on the matter. Take a look at this video from Computerphile below.
RSA is more favoured on the internet due to its higher security level compared to Diffie-Hellman. Dr Mike Pound explains why so:
This video also explains how ‘Man in the Middle’ attacks work.
How to get an SSL certificate for your website?
You get an SSL certificate from third-party agencies called a Certificate Authority (CA). Usually, they will charge you for issuing an SSL certificate through them, but there are some free SSL certificate authority agencies as well. Our personal recommendation is Let’s Encrypt, but there are many free SSL certificate authority agencies on the internet that can issue SSL certificates. Usually, your web host will help you with installing the SSL certificate on your website, so you can sit back and relax. Just make sure they have your desired SSL CA option available.
You can also self-sign an SSL certificate for your website. However, they are considered less trustworthy than the certificate you receive from a CA. We highly recommend you consider the CA option. Getting an SSL certificate means you can transmit HTTPS traffic to anyone who connects to your website. It also helps with preventing Man of the Middle attacks.
To know more about the process and types of certificates involved in the process, Sucuri has a well-written article on it.
It is a must for your website to get an SSL certificate from a trustworthy Certificate Authority. It will help you keep the attacks at bay, and you will make your customers browse your website with relief. Not only that but getting an SSL certificate will also improve your overall SEO score. Google search engine takes data security very seriously, and they would recommend SSL-protected websites over non-SSL websites in their search result. So yes, you do need an SSL certificate.
Digital Lime Green can also help you with setting up a domain, securing it, and getting an SSL certificate for your website. This is actually a part of our WordPress Hosting services, where we provide SSL certificate related assistance along with other security solutions. Please feel free to contact us if you need to know more about our services.
Stay secured and protect the traffic on your website. We wish you all the best!