Whenever you visit a website, a server transmits data to your computer and your computer replies. This data is relatively easy to intercept because it travels through several computers to get to its final destination. By default, this data is sent as ‘plain text’ meaning anyone intercepting it can easily read the information inside. This is a big problem if the data includes sensitive information such as credit card details or personal information.
The solution is for the sender to encrypt the data before it leaves and the recipient to decode the data when it arrives. The encryption is achieved using SSL/TLS technology. As part of the SSL/TLS encryption process, the website’s server sends a key to the visitor’s computer to encrypt information and a certificate. The visitor’s web browser analyses the SSL/TLS certificate to verify that this key belongs to who it says it belongs to.
SSL certificates require a digital signature from a verifying entity. The server owner can use their own signature, creating a so called ‘Self Signed’ certificate but this is near useless for verification purposes. Far more useful is a certificate signed by a specific type of third party called a Certificate Authority (CA). Certificate authorities are companies which issue SSL certificates to entities. They verify the business or organisational entity through processes like emails and phone calls. The value of CA signatures is that they are trusted by most modern web browsers. This allows the connection to proceed seamlessly for the website visitor. Without the implicit approval of the browser, visitors are prompted to manually approve the certificate. This process is jarring and breaks trust.
Usually the server owner obtains the certificate from a CA through purchase, although some CAs provide free certificates. Comodo is the largest Certificate Authority in the world with about a third of all SSL certificates followed by Symantec. Here at Phoenix Web we usually use certificates issued by Trustwave or Let’s Encrpyt as these are integrated into the hosting we provide at VentraIP.
Many payment gateways explicitly require an SSL certificate to be installed on your website. An example is the NAB payment gateway. Even if not needed an SSL cert is a useful addition to your website. Here’s why:
http
protocol is replaced by https
.
As long as it is installed properly, there is no real downside to installing an SSL certificate on your server. Installing the certificate can be a somewhat complex endeavour. For example, if any external resources are loaded via HTTP, the browser will throw an off-putting error. These resources must be loaded via HTTPS. On the server side, certificates will have to be replaced when they expire. As long as the server is setup correctly, this process is very quick.