How to get free SSL certificate for a website or blog? Why is SSL important?

What are HTTPS, SSL and TLS?

As a blogger or website owner you would know that the world wide web (www) runs using a protocol called Hyper Text Transfer Protocol or HTTP. So, all websites must have an HTTP declaration in their URL.

But it is possible for miscreants to 'phish' or display their website and present it as another, genuine, website. The HTTP protocol is not able to check such illegal actions. Moreover, during data transmission between the website server and the user's internet browser, there are 'sniffer' programs that can read the data.

So, there is more and more stress on making the protocol secure by making it difficult to fake a website or to read its secure data. HTTPS (S in the abbreviation represents 'secure') came in response to such need.

When you see HTTPS at the beginning of a web address, it is an indication that the website has been verified to be 'secure'. This security is achieved through security protocols, SSL (Secure Sockets Layer) and TLS (Transport Layer Security).

Let the confusion between SSL and TLS be removed. The first protocol that came up for securing websites through a security layer was SSL, which ran till version 3.0. It has been succeeded by TSL but both the protocols are in operation. For a user, their distinction doesn't matter as long as his website has HTTPS security implemented through a security certificate that says that it is secured with SSL or TLS. In common parlance, the certificate issued to the website is called SSL certificate. I will also use this expression to refer to a certificate that provides SSL/ TLS based security to websites.

There are many levels of SSL/TLS security and they all do not make the website secure to the same level. When you type the web address of a reliable bank website, it shows the entire ID of the website given in full, with a lock preceding it. Now, use another website with HTTPS (not a bank or such high security website) and you find a lock before the URL. Non-HTTPS sites do not have a lock.

SSL certificates and web security

How SSL actually operates for keeping websites secure?

When you get your website or blog hosted on a web hosting server, you tell the web host to provide you with a security certificate. Once your website has the certificate (SSL/ TSL certificate), it means a SSL/ TSL security software has been placed on the server and will interact with web communication before it reaches your website.

Suppose someone now wants to visit your website. He enters your website's URL on his browser. His browser now sends a request to the server of your website, asking for the information on your website. As your website is HTTPS-enabled (it has a security layer/ certification), your server does not give information to the visitor's browser but sends its SSL certificate to his browser. The browser has a database of genuine security certificates, and it checks whether your website's security certificate is trust-worthy. After verification of the certificate, there is 'handshake' between your server and his browser. Now all the data-flow between the two ends during that session happens through encryption. If your site accepts money and he puts his credit card details on your site, the details cannot be read by a spying software.

Is HTTPS security layer really that important?

When a website shows that it has HTTPS security, it is taken as safe by visitors as well as search engines. That is a huge credibility improvement over non-HTTPS websites and blogs.

In addition, with encrypted communication, those lurking to snoop into user behavior or data cannot succeed. That includes not only criminals and miscreants but also competitors and those wanting to steal data. It is also difficult for others to inject ads or malicious code into such secure communications.

For businesses and small bloggers alike, HTTPS has many advantages besides making the website more secure. When the website is seen as secure, visitors are likely to be more confident in viewing the content, clicking on links and doing transactions on the site. Being technologically up-to-date also gives a positive signal to the visitors about seriousness and professionalism of the website owner/ business/ blogger.

Internet browsers have started deprecating HTTP sites. Chrome and Safari give a warning 'not secure' before the web address of non-HTTPS websites. Mozilla Firefox shows a broken lock before the URL. Edge browser does not show a warning sign but on clicking the 'i' before the web address, you get a warning, 'Be careful here.'

SSL security and browser behavior

It is natural that the credibility gained due to SSL implementation puts secure websites higher in the eyes of search engines. In fact, Google has publicly stated that HTTPS is a quality signal for search ranking.

How to get SSL certificate?

How is your website or blog hosted? If it is a blog hosted on Blogger, Wordpress, LiveJournal, Medium or some other big free blogging platform, it must already have SSL security. Your social media accounts come with HTTPS because Facebook and Twitter have implemented it across their platform.

If your blog/ website is a self-hosted, you must get SSL certificate without losing time. Ask your  web host to give it to you. If he charges you a big sum, get an SSL certificate free from a third party and install it. If he does not allow you to use the free SSL certificate on your blog/ website, it is time you look for a new web host.

If you are yet to start a blog/ website and are in search of a web host for it, look at the plans of major web hosts active in your region. It is likely that SSL certificate is not included in their basic web hosting plans. As said above, buy only a plan that has a free SSL certificate included or it allows you to implement a free SSL from outside (read below: Best Free SSL Certificate). As a small website owner or blogger, you don't need an expensive certificate.

Buy a higher level SSL certificate if you want users to submit personal/ financial data

SSL certificate is given by Certification Authorities or CAs (e.g. Comodo, Symantec, GoDaddy, DigiCert). Big web hosts themselves are CAs.

As said above, there are different levels of SSL certificates issues by CAs to cater to different security requirements. As such, they do antecedent verification of website and its owner differently:
  • Domain-Control Validation (DV) is done to verify the domain, nothing else: done for basic level of SSL.
  • Organization Validation (OV) verifies the identity of the owner organization behind the domain.
  • Extended Validation (EV) does the strongest, highly rigorous, checks of the owner's identity. This is done for top SSL security.

If your blog/ website allows buying of products or you ask visitors to submit their sensitive information for availing some benefits or you carry out e-commerce through it, the website needs a more secure layer. You should buy it from the web host or a third-party CA. The CA will ask you some documents for proving your genuineness, before it gives you the certificate.

Whichever SSL certicate you put on your blog/ website, be sure that it is updated, valid one. Old SSL certificates (pre- version 3.0) may give you only a false sense of security. A bad certificate also shows a warning on web browsers, thus making the website suspicious in the eyes of visitors.

Best Free SSL Certificate

Let me introduce you to Lets Encrypt, a free certification authority supported by a number of top technology companies. LetsEncrypt provides a basic level of SSL certificate, completely free. Moreover, it is regularly being upgraded.

As of March 2020, LetsEncrypt has issued more than a billion free SSL certificates.

You can visit LetsEncrypt website for knowing how to use the certificate on your blog/ website.

Does SSL certificate guarantee against phishing and sniffing?

As a visitor, when you access an HTTPS enabled site, you know that it is at least a genuine website and your communication or data exchange with the site is encrypted (unless, the SSL certificat itself has an issue, which is rare). But a website with basic SSL certificate can be owned by a fake. So, sites with SSL certification of the basic type could still be malicious to that extent. Moreover, if the website allows third-party content without discretion, criminals can harm visitors and the SSL security can be of no help.

However, if you are not doing a monetary or high-security transaction on a website, HTTPS itself is first level of assurance that you are using a safe site (yes, with rare chances of phishing). For confidential transactions, you must be sure that the website uses a higher level of certification (seen with padlock and company's name before the URL).

Visit this page if you are interested in browsing other articles on web security on this blog.

No comments:

Post a Comment

I deeply appreciate genuine comments, will respond.
Spam/ ads will be rejected.