The Electronic Frontier Foundation has rocked the world of SSL vendors by announcing the release of their own free SSL certificate in 2015. This 5-minute briefing gives you the background on this news and what issues should be considered in the new, secure internet.
Who is behind this free SSL movement?
The Electronic Frontier Foundation (EFF) in partnership with Mozilla, Cisco, Akamai, IdenTrust and the University of Michigan have formed a new certificate authority (CA) initiative called Let’s Encrypt. Their aim is to clear the roadblocks to transition the Web from HTTP to HTTPS.
An SSL certificate is needed when changing your website from the standard HTTP to the more secure HTTPs. This is commonly represented by a closed padlock in the browser address bar.
Why is HTTPS becoming more important?
Data privacy is a lively topic at the moment, with stories of large-scale hacking attempts making the news. Our lives are moving online but security is still a major problem. This risk has grown as people increasingly login from public places, such as coffee shops, using shared WiFi. HTTPS makes it much harder for hackers to intercept data, such as passwords or emails.
Leading web companies have recognised the threat and are forcing users to use HTTPS to access their websites and applications. Google made HTTPS the default for all users late in 2013 and have made this a ranking factor in their search engine.
Will free SSL certificates speed up this transition?
Yes. The price of SSL has plummeted over the years but SSL is only seen as a business priority for e-commerce websites. Eliminating the cost will increase the take-up of certificates and make HTTPS the standard for websites. In addition the Let’s Encrypt initiative are releasing one-click software to help install the certificates, thereby cutting administration costs as well.
This movement may prompt SSL vendors to release their entry level SSL certificates for free. StartCom has already taken this approach, making their class 1 SSL certificates free for non-commercial use. If HTTPS becomes the standard, then ignoring this standard could become a problem both for users and devices that interact with your website.
Won’t free SSL kill off this industry?
Unlikely, SSL vendors have been working hard to enhance their product range in recent years to increase revenue. There is little difference between SSL certificates from a security perspective, so they have started offering increased verification of the registrant to increase product trust. There are now three types of certification available:
- Domain Validation (DV) SSL Certificates – verification of the right of the applicant to use their domain name
- Organisation Validation (OV) SSL Certificates – checks are run on the domain name and some light vetting of the organisation (i.e. company registration).
- Extended Validation (EV) SSL Certificates – the domain name is checked together with a thorough vetting of the organisation’s legal and operational status.
Verification can be promoted by the applicant on their website and can be seen by users by clicking site-seals or looking at the certificate information itself.
Top-tier vendors, such as Norton, are bundling insurance products with these enhanced certificates; such as user identify theft protection, purchase protection and even a 30-day lowest price guarantee for shoppers.
By giving away entry-level certificates, SSL vendors would retain and build brand loyalty while promoting the benefits of their premium products.
Should I be thinking of buying a premium SSL?
Yes. SSL certificates are becoming widespread and can even be found on illegal phishing websites. Experts suggest that this kind of activity could damage the perception of SSL security. To combat this, SSL vendors must invest in their brand and how this is conveyed to the public. A study by the Baymard Institute in 2013 agreed, indicating brand awareness is key to consumer confidence. While the free Let’s Encrypt initiate could gain traction, they are unlikely to have the marketing power of the top-tier vendors.
So brand awareness is everything?
“Performance should also be considered”, says Richard Howard, Architect on the Global Channels Optimisation Team at Vodafone. “Every time an SSL connection is made, a cryptographic handshake is required with the certificate authority (CA). This issue is compounded by the number of 3rd party tags on your page, each requiring their own SSL handshake.”
Indeed, CAs have a wide range of response times with some adding several seconds to the page load time on an enterprise website.
With Google now rewarding website speed in their ranking algorithm and the rise of mobile internet, performance is an important factor.
Ok, so anything else I need to consider?
Changing a website from HTTP to HTTPS can cause issues for your development team. The most common issue results from having an image, CSS, JS, or other similar file loaded as part of a secure webpage without using an SSL connection (i.e. with a HTTP connection). This causes browser warnings, for example Internet Explorer 8 has a “Security Warning” dialog box that says:
Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
This kind of message can lead to a dramatic rise in your user bounce-rate. It is essential that once your website uses HTTPS, that every page is checked for errors.
The transition to HTTPS will herald a new, more secure internet but this move must be carefully considered, especially with the potential impact on performance. If sensibly done, there are opportunities to increase organic rankings and audience conversion. I’d love to hear your thoughts on this evolution.
The post How Free SSL Certificates Will Change the Internet appeared first on Nick Wilsdon.