HTTPS, SSL, tokenized transactions—if you sell anything online I’m sure you’ve heard the words before and have some sense of why they’re important for ecommerce. Without HTTPS and SSL Certificates all of your online transactions would be basically open for anyone to steal. But I still see stores out there without SSL Certificates, sending data over plain old, unprotected HTTP instead of HTTPS. HTTPS and SSL are important now—and they’re going to be getting a lot more important to Google.
What are HTTPS and SSL Certificates?
HTTPS and SSL Certificates work together to do two things. HTTPS uses encryption to secure all data sent between your web browser (on your computer, phone, tablet, etc.) and the web server you’re connecting to in order to load a website. The SSL Certificate is how the secure connection is established between the web browser and the web server, as well as how the web server proves its identity to your web browser.
Without the SSL Certificate, a shady web server could trick your web browser into thinking that it’s, say, your bank’s website. And without HTTPS encryption, you’d know the identity of the web server but all the data going back and forth wouldn’t be any more secure than slapping a stamp on your credit card and putting it in the mail as payment.
These standards working together are what have made commerce on the internet possible. And it used to be the case that obtaining an SSL Certificate, configuring your web server to use it, and enabling HTTPS was an expensive and difficult process. But not any more. It usually takes only a few clicks—and it can be free!
What’s in an SSL Certificate?
SSL Certificates provide proof of identity for the web server, and are also used to establish a secure HTTPS connection when the web browser and web server first connect to each other.
To vastly oversimplify things: a Certificate contains a Public Key and a Private Key. The web server shares the Public Key with the web browser, and the web browser uses it to encrypt a one-time-use Shared Key that the web browser generates. The web server then uses its Private Key to decrypt that one-time Session Key (which is the only way to decrypt the key), and the web browser and web server then use that shared Session Key to encrypt and decrypt the data sent back and forth during that visit.
SSL Certificates are created by generating unique the Public and Private Keys using encryption algorithms—basically really complex equations that produce semi-random results. The Certificate also includes unique identifiers to prove the web server’s identity. As you can imagine the ability to produce trusted keys is strictly limited to a few well-vetted Certificate Authorities.
This, along with the fact that early on only big financial institutions and business like eBay or Amazon were using them, made SSL Certificates very expensive. But now that everyone and everything is getting hacked, so much more commerce is happening online, and people are getting concerned about the privacy of the data they send across the internet, there are better options.
Why You Need an SSL Certificate
Apart from the whole keeping your customer’s personal and financial data secure thing, there’s another great reason to have an SSL Certificate on your site: Google really wants you to use one.
Google sees unencrypted web traffic as a threat to the security, privacy, and economic activity on the internet, and if they had their way everything would only use encrypted connections. Since they own and develop the web browser Chrome they are using Chrome to “encourage” web site owners to get on the HTTPS train.
When you use Chrome to visit a website using HTTPS, you’ll see a green padlock in the address bar. You can click on it to see information about how secure the site is:
Sites not using HTTPS used to show nothing where the padlock is, but starting in January of 2017 Google updated Chrome to show an exclamation point. Clicking on it reveals a warning that the site is not secure:
This will definitely be unsettling to your customers—if they happen to click on the exclamation point. Almost nobody does, so some time soon (Google won’t say exactly when) that gray exclamation point will be replaced by a red warning sign:
That will definitely get people’s attention. To avoid this fate, everyone running an online store should get an SSL Certificate right now.
How to get an SSL Certificate
If you use an online marketplace like Etsy, or a hosted ecommerce platform like Shopify, you are already protected because they have certificates that cover all of their web servers. If you’re running a online store of your own, many web hosts are now offering a free SSL Certificate when you sign up. If they don’t, or you already have hosting, companies like NameCheap are selling basic SSL Certificates for as little as $9 per year at the time of writing this article.
There is also a service called Let’s Encrypt that offers SSL Certificates for no charge at all. Let’s Encrypt is run by the nonprofit Internet Security Research Group (ISRG), which is dedicated to making it as easy as possible for everyone to make all of their internet traffic secure. If your hosting company supports installing Let’s Encrypt Certificates, it’s a 5 minute process. If your hosting company doesn’t provide an official, easy way to install a Let’s Encrypt Certificate you still might be able to with the help of your hosting company’s tech support.
Configuring Your Website to Use HTTPS
Once you have your SSL Certificate you need to tell your web server to start using it to send and receive all data encrypted with HTTPS. For sites running WordPress + WooCommerce, all you need to do is install a plugin like Really Simple SSL. The plugin takes care of all the server configuration necessary to switch your website over to HTTPS. If you get “Mixed Content” warnings you can fix them with the SSL Insecure Content Fixer Plugin. And that’s it!
If you don’t have an SSL Certificate for your online store yet, there’s every good reason to go out and get one now and no good reason not to. So go out and get one today, and give your customers a boost of confidence in your store.
Free 15-minute eCommerce Coaching Call
Sign up now for a free, private, and confidential 15-minute phone call with me (a $50 value) to get some answers.