With the recent announcement by Google that sites using a SSL certificate will be viewed more favorably when ranking search results, hosting companies and domain registrars are experiencing a surge in certificate registrations. SSL makes the web safer, but installing a certificate can be tricky and if done incorrectly will cause more harm than good.
What is the difference between “http” and “https”?
The internet is comprised of millions of desktops, phones, laptops and servers sending information across the world to each other over the Hypertext Transfer Protocol (HTTP). HTTP is a set of standards used as a “request-response” protocol between a client and a server, which means that when your computer queries a server for a URL, the server will respond with a file or webpage.
The response is sent as plaintext, meaning anyone who is in-between you and the server you’re connecting with can intercept anything you request or anything you receive. If you send sensitive financial information or a password over HTTP, anyone who is connected to the same internet connection you are (for example anyone using the same WIFI router) can intercept it, as well as your ISP, operators of various internet nodes that carry traffic across the web, or a government who is tapping a node that your connection passes over.
Hypertext Transfer Protocol Secure (HTTPS) is the same protocol as HTTP; however it is overlaid on top of SSL/TLS. SSL is a secure socket layer that allows for private encrypted communications between your computer and the server you’re connected to. To encrypt your information before sending it over a secure socket, you must use an SSL certificate.
What is an SSL certificate?
An SSL certificate is a file that binds a cryptographic key to a hostname (ex: google.com).
Data sent using an SSL certificate is scrambled and can only be deciphered with a matching decryption key. SSL certs also bind information about the organization that purchased the cert, for example:
- The name of the entity that purchases the certificate
- An address and phone number (optional)
- A serial number and expiration date unique to the certificate
- A digital signature of the certificate issuing authority who signed the certificate
The certificate used by https://www.facebook.com
An SSL certificate file contains two different keys; a private key, and a public key. (Called keys because they act like a key for a door) Public keys are used to encrypt files, like locking a digital door, and private keys let you decipher the encryption, like unlocking the same door.
An “SSL handshake” authenticates the website and the web browser. This is an exchange of data that lets the client (your browser) and a server establish trust to share information.
An SSL handshake. Source: trebortech.com
Certificate authorities are groups that issue certificates and help the client (your browser) trust that the certificate being used was vetted and created by a 3rd party entity. These groups are important because anyone can generate an SSL certificate, including malicious users and hackers. Purchasing a certificate from a trusted authority ensures that it was not crafted maliciously and is not being forged in a “man-in-the-middle attack”.
Aside from being established organizations with reputable brands, certificate authorities also verify the person who requested an SSL certificate owns the domain by sending an email to the email address that was used to register the domain name. This makes it impossible to issue an SSL certificate for a specific domain name to anybody except the owner of that domain, adding another layer of trust.
In an effort to save money, some hosting companies and domain registration companies offer self-signed certificates, which are certificates that are not issued by a certificate authority. These certificates can be created for free, generated instantly, and customized with any number of variables which a certificate authority may not offer.
There are several downsides to using a self-signed certificate that should be considered when purchasing an SSL certificate. For one, modern browsers are by default set to only accept certificates issued by a certificate authority. If you use a self-signed certificate on your site, visitors will see a message in their browsers which looks like this:
Another downside is that because they are not issued from a certificate authority, they can be forged and do not offer the same level of protection. These certificates cannot be revoked, whereas a certificate authority can revoke a certificate if it becomes compromised by a malicious entity.
Why does Google care about SSL?
In an effort to enhance security on the web, Google announced that sites using HTTPS will receive a slight boost in their weighted algorithm which determines website ranking. Some likely reasons for giving preference to sites with SSL certificates include:
- SSL certificates cost money, which may deter spammers from using them on their sites, which means sites that use certificates are less likely to be spammy results.
- SSL certificates are likely registered with a certificate authority, meaning that valid information on the business can be accessed (corporation name, address, phone number, etc.) which makes the site more reputable and less likely to be spam.
- SSL certificates protect users who may transmit sensitive information like credit card numbers or social security numbers from having their information intercepted.
How can I make sure my certificate is installed properly?
Google provides these basic tips to make sure you install your certificate correctly:
– Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
– Use 2048-bit key certificates
– Use relative URLs for resources that reside on the same secure domain
– Use protocol relative URLs for all other domains
– Don’t block your HTTPS site from crawling using robots.txt
– Avoid the noindex robots meta tag.
The Search Engine Optimization process can seem overwhelming with new ranking signals added at any moment. Path can provide the direction you need to make the SEO process simple and results obtainable. We have custom-tailored packages for clients at every stage in their business.
For a free marketing consultation, fill out our express form or call 800-680-4304 today.