Everything You Need To Know About SSL Certificates

SSL stands for Secure Sockets Layer and is used to encrypt the connection between web browsers and your website

This prevents bad actors (hackers) from extracting personal, security and financial data by snooping in on the network where the data is being transmitted through.

Public WIFI connections are a prime target for hackers to try and snoop on network traffic.

Unless you are using HTTPS and on a Virtual Private Network (VPN), you should never use public WIFI networks in restaurants, cafes, hotels, gyms, shopping centres, libraries, airports…

Technically, no.

Practically, yes, yes and yes!

Google ranks secured websites higher in the SERPs than similar unsecured websites.

The whole interwebs will be a safer place when every website is secured.

People are becoming more security-aware untrusting of non-secured websites.

As far as security goes, there is no difference between a free SSL certificate and a paid one.

They do the same thing to encrypt the data sent between your web browser and the webserver.

See “SSL Certificates With Bundled Liability Insurance and Warranties”.

No. Never.

See “SSL Certificates With Bundled Liability Insurance and Warranties”.

This is a white-collar con to scare you into buying a more expensive product.

There have been no known cases where a data breach caused by a “faulty” SSL certificate have gone to court.

The whole idea of offering liability if encrypted data is stolen, decrypted and used for nefarious deeds is absurd.

If the current 256-bit encryption system of an SSL certificate were known to be compromised, companies would increase the encryption factor to compensate.

See “SSL Encryption Strength and the Time It Would Take to Crack It”.

No, you cannot stack multiple SSL certificates on a single domain.

You can only have one SSL certificate per active domain name.

If you use subdomains, e.g. courses.mydomain.com, you can register your SSL certificate as a wildcard SSL certificate.

This usually takes the format *.mydomain.com when registering your SSL certificate.

HTTP stands for HyperText Transfer Protocol, and it’s the method by which data is transferred between your browser and a web server.

By default, data transferred using HTTP is unencrypted plain-text.

Theoretically, a hacker can snoop the data being transferred across the network and extract it.

The “S” in HTTPS stands for “Secure”.

Data transferred across the network using HTTPS is encrypted.

For a while, some web browsers would display a green tick or even some additional information about the SSL certificate validation if you clicked on a secured HTTPS URL.

This is no longer the case.

Most popular web browsers will tell you that the site is “not secure” if using only HTTP and a padlock icon to indicate the site is sure and using HTTPS.

This is how Chrome and most of the popular browsers now display SSL certificates, including EV (just a grey padlock).

Here is how Chrome displays non-secure HTTP websites (warning triangle and the words “Not secure”).

EV SSL certificates are dead.

Yes.

SSL certificates encrypt the data sent between your web browser and the webserver.

They do not increase the security of your login username or password.

Consider using two-factor authentication (2FA) to increase your website security from hacking.

If you have installed an SSL certificate, you also want to make sure all your visitors are redirected to your website’s SSL/HTTPS version.

For a WordPress website, it’s a bit of a lengthy process.

Watch my Move A WordPress Site To HTTPS WPQuickies episode.

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

It basically gives anyone (you and web hosting providers) a free SSL certificate.

SSL certificates are installed on your webserver.

Many web hosting interfaces such as cPanel or Plesk have icons that allow you to create and issue (install) an SSL certificate on your web server.

If your account doesn’t have these options, you will need to contact your web hosting provider directly using a support call or ticket.

Visit your website homepage using https:// rather than http://.

If you get an error, then your domain isn’t configured with an SSL certificate.

You may see an error screen like this on your browser (this is from Chrome).

Technically, no.

Practically, yes, yes and yes!

See “Do I Need an SSL Certificate?”.

You can obtain an SSL certificate from your web hosting provider.

If they ask you to pay, you may consider moving to another web host that doesn’t charge.

No.

Most of today’s SSL/TLS certificates offer 256-bit encryption strength.

It’s highly improbable to crack the standard 256-bit cryptographic key with today’s computer power.

Maybe when quantum computers start to emerge they will give encryption a run for its money.

You might have heard that nothing is unbreakable in the world of the internet, and that’s true as well.

SSL encryption strength being used today is breakable – but it would take an extremely long time to do so.

How much exactly?

Well, more than the age of the universe.

Yes, it’d take that long for today’s supercomputers to crack 128-bit encryption, the least strength of SSL/TLS encryption being used today.

Here’s how much time it’d take to crack SSL certificates of various encryption strengths:

TLS stands for Transport Layer Security. It’s a protocol used to encrypt the information before it’s transmitted from one place to another.

For example, when you make a credit card payment online, TLS encrypts your details before they’re sent off to the website to process the payment.

TLS evolved from a previous encryption protocol called Secure Sockets Layer (SSL), which Netscape developed.

TLS version 1.0 actually began development as SSL version 3.1, but developers changed the name of the protocol before publication to indicate that it was no longer associated with Netscape.

Because of this history, the terms TLS and SSL are sometimes used interchangeably.

HTTPS is an implementation of TLS encryption on top of the HTTP protocol, which is used by all websites and some other web services.

Any website that uses HTTPS is therefore employing TLS encryption.

There are three main components to what the TLS protocol accomplishes: Encryption, Authentication, and Integrity.

Encryption: hides the data being transferred from third parties.
Authentication: ensures that the parties exchanging information are who they claim to be.
Integrity: verifies that the data has not been forged or tampered with.

The latest versions of TLS hardly impact web application performance at all.

Because of the complex process of setting up a TLS connection, a web server must use some load time and computational power. The client and server must communicate back and forth several times before any data is transmitted. That eats up precious milliseconds of load times for web applications and some memory for both the client and the server.

However, there are technologies in place that help to mitigate potential latency created by the TLS handshake. TLS False Start lets the server and client start transmitting data before the TLS handshake is complete. Another technology to speed up TLS is TLS Session Resumption, which allows clients and servers previously communicated to use an abbreviated handshake.

These improvements have helped to make TLS a high-speed protocol that should not noticeably affect load times. As for the computational costs associated with TLS, they are mostly negligible by today’s standards.

TLS 1.3, released in 2018, has made TLS even faster. TLS handshakes in TLS 1.3 only require one round trip (or back-and-forth communication) instead of two, shortening the process by a few milliseconds. When the user has connected to a website before, the TLS handshake has zero round trips, speeding it up further.

Probably.

New protocols are being developed all the time for a fast and more secure web.

For the time being, TLS is at version 1.3, released in 2018.