It happens all the time. Someone in the company tells you that you have to get an SSL/TLS certificate for your website. Wait. What? Nooo, it doesn't happen all the time. But, it probably happened to you when working on a test or a special promotion site for your group, and that's why you're reading this blog post. There are a few things to unpack so we've broken it down into a seven-part series. Here's part 1 – this section goes over some of the basics on SSL/TLS certificates and will prepare you for a polite conversation on transaction security with your company's security group.
SSL/TLS Puts the "S" in HTTPS
In HTTPS, the "S" stands for "secure." As consumers, we rely on organizations to secure our online transactions, and on browsers to tell us when it's safe to transact on a website. This quick tutorial shows how to spot a secure website.
SSL/TLS certificates (they are both the same) serve two purposes – they encrypt information that is sent over the internet and they provide identity assurance, both of which help online consumers to positively identify and trust websites that are safe to transact with. An HTTP website— no "S"—lacks both identity and encryption, which means it's not secure. Browsers now issue strong warnings to visitors who try to enter websites that are not secured by HTTPS. This usually makes the visitor queasy and they leave for another website where they feel safe to make their transaction.
How Does an SSL/TLS Certificate Work?
Public Key Infrastructure (PKI) provides the framework that enables SSL/TLS to be used for cybersecurity. PKI uses encryption to protect information that passes between a server (your website) and a client (the device the person transacting on your website is using). It uses two different types of matched cryptographic keys to secure the transaction, the public key (which your server distributes everywhere) and the private key (which is locked away on your server).
When transacting, the client and your server start with an encryption "handshake" that relies on your certificate, after which all communications between them are encrypted (so no one can intercept and read the communications in transit) and are authenticated between the client and server – that's why encryption means security. From that point on, all the client's personal data -- login credentials, credit card information, etc. – can be transmitted securely to your server. A file that is created by a particular public key can only be decrypted by the corresponding private key on your server and vice-versa, ensuring that the transaction is going to the intended recipient and protecting the information from a cyberattack while in transit.
So, why do I need an SSL/TLS Certificate?
SSL/TLS certificates provide important advantages that can mean the difference between creating a seamless and secure website experience versus an alarming one for website visitors. Here are a few benefits that SSL/TLS provide for you:
To sum it up, SSL/TLS certificates are essential for web-based projects that can be viewed by anyone surfing the internet – nearly 80% or all web page loads now are encrypted, and the number is rising rapidly. While there is no legal or technical requirement to use certificates, it does represent best practices and the browsers make it much friendlier for visitors to engage with websites that have HTTPS because of the security features they provide. Stay tuned for the next post in our seven-part series, which will cover what you need to know about the different certificate types.
7-Part Blog Series
Additional ResourcesHow to Identify an Authentic Website