Everything You Need To Know About SSL Certificates

As a WordPress consultant, I often get asked questions about SSL Certificates.

It seems to, generally, be a very confusing topic for beginners to get to grasps with.

Here is a list of questions and answers that will give you everything you need to know about SSL certificates.

What Does an SSL Certificate Do?

SSL stands for Secure Sockets Layer and is used to encrypt the connection between web browsers and your website

This prevents bad actors (hackers) from extracting personal, security and financial data by snooping in on the network where the data is being transmitted through.

Public WIFI connections are a prime target for hackers to try and snoop on network traffic.

Unless you are using HTTPS and on a Virtual Private Network (VPN), you should never use public WIFI networks in restaurants, cafes, hotels, gyms, shopping centres, libraries, airports…

Do I Need an SSL Certificate?

Technically, no.

Practically, yes, yes and yes!

Google ranks secured websites higher in the SERPs than similar unsecured websites.

The whole interwebs will be a safer place when every website is secured.

People are becoming more security-aware untrusting of non-secured websites.

Free SSL Certificate vs Paid Certificate

As far as security goes, there is no difference between a free SSL certificate and a paid one.

They do the same thing to encrypt the data sent between your web browser and the webserver.

See “SSL Certificates With Bundled Liability Insurance and Warranties”.

Should I Pay For an SSL Certificate?

No. Never.

See “SSL Certificates With Bundled Liability Insurance and Warranties”.

SSL Certificates With Bundled Liability Insurance and Warranties

This is a white-collar con to scare you into buying a more expensive product.

There have been no known cases where a data breach caused by a “faulty” SSL certificate have gone to court.

The whole idea of offering liability if encrypted data is stolen, decrypted and used for nefarious deeds is absurd.

If the current 256-bit encryption system of an SSL certificate were known to be compromised, companies would increase the encryption factor to compensate.

See “SSL Encryption Strength and the Time It Would Take to Crack It”.

Can I Add Multiple SSL Certificates For Additional Security?

No, you cannot stack multiple SSL certificates on a single domain.

You can only have one SSL certificate per active domain name.

If you use subdomains, e.g. courses.mydomain.com, you can register your SSL certificate as a wildcard SSL certificate.

This usually takes the format *.mydomain.com when registering your SSL certificate.

What’s The Difference Between HTTP and HTTPS?

HTTP stands for HyperText Transfer Protocol, and it’s the method by which data is transferred between your browser and a web server.

By default, data transferred using HTTP is unencrypted plain-text.

Theoretically, a hacker can snoop the data being transferred across the network and extract it.

The “S” in HTTPS stands for “Secure”.

Data transferred across the network using HTTPS is encrypted.

What Is Extended Validation (EV)?

For a while, some web browsers would display a green tick or even some additional information about the SSL certificate validation if you clicked on a secured HTTPS URL.

Old EV SSL certificate information in Chrome

This is no longer the case.

Most popular web browsers will tell you that the site is “not secure” if using only HTTP and a padlock icon to indicate the site is sure and using HTTPS.

This is how Chrome and most of the popular browsers now display SSL certificates, including EV (just a grey padlock).

Chrome padlock for secure https websites

Here is how Chrome displays non-secure HTTP websites (warning triangle and the words “Not secure”).

Chrome Not Secure message

EV SSL certificates are dead.

Can SSL Websites Still Be Hacked?

Yes.

SSL certificates encrypt the data sent between your web browser and the webserver.

They do not increase the security of your login username or password.

Consider using two-factor authentication (2FA) to increase your website security from hacking.

How Do I Change My URL Over From HTTP To HTTPS?

If you have installed an SSL certificate, you also want to make sure all your visitors are redirected to your website’s SSL/HTTPS version.

For a WordPress website, it’s a bit of a lengthy process.

Watch my Move A WordPress Site To HTTPS WPQuickies episode.

What Is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

It basically gives anyone (you and web hosting providers) a free SSL certificate.

Where Do SSL Certificates Go?

SSL certificates are installed on your webserver.

How Do I Install an SSL Certificate?

Many web hosting interfaces such as cPanel or Plesk have icons that allow you to create and issue (install) an SSL certificate on your web server.

If your account doesn’t have these options, you will need to contact your web hosting provider directly using a support call or ticket.

How Can I Tell If My Website Uses SSL?

Visit your website homepage using https:// rather than http://.

If you get an error, then your domain isn’t configured with an SSL certificate.

You may see an error screen like this on your browser (this is from Chrome).

Your connection is not private Chrome browser HTTP warning

Do I Need an SSL Certificate If I Am Not Collecting Any Sensitive Information?

Technically, no.

Practically, yes, yes and yes!

See “Do I Need an SSL Certificate?”.

Where Can I Get an SSL Certificate?

You can obtain an SSL certificate from your web hosting provider.

If they ask you to pay, you may consider moving to another web host that doesn’t charge.

Are There Any Downsides To Having an SSL Certificate?

No.

HTTPS Encryption Strength

Most of today’s SSL/TLS certificates offer 256-bit encryption strength.

It’s highly improbable to crack the standard 256-bit cryptographic key with today’s computer power.

Maybe when quantum computers start to emerge they will give encryption a run for its money.

SSL Encryption Strength and the Time It Would Take to Crack It

You might have heard that nothing is unbreakable in the world of the internet, and that’s true as well.

SSL encryption strength being used today is breakable – but it would take an extremely long time to do so.

How much exactly?

Well, more than the age of the universe.

Yes, it’d take that long for today’s supercomputers to crack 128-bit encryption, the least strength of SSL/TLS encryption being used today.

Here’s how much time it’d take to crack SSL certificates of various encryption strengths:

Encryption StrengthTime To Crack
56 bit399 seconds
128 bit1.02 x 1018 years
192 bit1.872 x 1037 years
256 bit3.31 x 1056 years

What Is TLS?

TLS stands for Transport Layer Security. It’s a protocol used to encrypt the information before it’s transmitted from one place to another.

For example, when you make a credit card payment online, TLS encrypts your details before they’re sent off to the website to process the payment.

What Is the Difference Between TLS and SSL?

TLS evolved from a previous encryption protocol called Secure Sockets Layer (SSL), which Netscape developed.

TLS version 1.0 actually began development as SSL version 3.1, but developers changed the name of the protocol before publication to indicate that it was no longer associated with Netscape.

Because of this history, the terms TLS and SSL are sometimes used interchangeably.

What Is the Difference Between TLS and HTTPS?

HTTPS is an implementation of TLS encryption on top of the HTTP protocol, which is used by all websites and some other web services.

Any website that uses HTTPS is therefore employing TLS encryption.

What Does TLS Do?

There are three main components to what the TLS protocol accomplishes: Encryption, Authentication, and Integrity.

Encryption: hides the data being transferred from third parties.
Authentication: ensures that the parties exchanging information are who they claim to be.
Integrity: verifies that the data has not been forged or tampered with.

How Does TLS Affect Web Application Performance?

The latest versions of TLS hardly impact web application performance at all.

Because of the complex process of setting up a TLS connection, a web server must use some load time and computational power. The client and server must communicate back and forth several times before any data is transmitted. That eats up precious milliseconds of load times for web applications and some memory for both the client and the server.

However, there are technologies in place that help to mitigate potential latency created by the TLS handshake. TLS False Start lets the server and client start transmitting data before the TLS handshake is complete. Another technology to speed up TLS is TLS Session Resumption, which allows clients and servers previously communicated to use an abbreviated handshake.

These improvements have helped to make TLS a high-speed protocol that should not noticeably affect load times. As for the computational costs associated with TLS, they are mostly negligible by today’s standards.

TLS 1.3, released in 2018, has made TLS even faster. TLS handshakes in TLS 1.3 only require one round trip (or back-and-forth communication) instead of two, shortening the process by a few milliseconds. When the user has connected to a website before, the TLS handshake has zero round trips, speeding it up further.

Will TLS Ever Be Replaced?

Probably.

New protocols are being developed all the time for a fast and more secure web.

For the time being, TLS is at version 1.3, released in 2018.

Have I missed anything out?

Do you still have an unanswered question about SSL certificates?

Ask in the comments below.

Was this article helpful?
YesNo

Get Your Free Security Fundamentals eBook

Enhance your website security with this free, quick and easy to implement guide.

Keep In Touch

Wil

Wil is a dad, WordPress consultant, WordPress developer, business coach and mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.

Leave a Comment

Your email address will not be published. Required fields are marked *