What an online store owner needs to know about SSL certificates

Are customers reluctant to make purchases on your online store? Most likely, they don't trust the security and authenticity of your site, and the reason for this is the lack of SSL, a protocol for establishing a secure connection between the user and the server.

To avoid getting into technical details, we can say that SSL encrypts the information entered by the customer, from payment details to passwords, and then transmits it via HTTPS in encrypted form. Personal data can still be intercepted, but it takes much longer and is more difficult to decrypt.

To make the site work through the secure HTTPS protocol, its owner needs to obtain an SSL certificate.

Why does a site owner need SSL?

Having a certificate on the site significantly increases trust, although the protocol itself does not guarantee a high level of protection against hacking or virus attacks. In addition to user trust, the SSL certificate provides another bonus – protection when accessing the admin panel through a public Wi-Fi network.

Although the main target audience for this protocol is online stores that collect payment details, it will also be beneficial for all other types of organizations that want to make a good impression on potential customers. Moreover, in the modern online world, the absence of an SSL certificate on any site with authorization capabilities is considered bad practice. Therefore, owning the protocol is in the interest of almost any site owner, especially considering that it can be done quickly and completely for free.

An important aspect is that modern users are becoming more conscious of security and pay attention to the presence of a green label in the domain name of the site. Why does an ordinary user need an SSL certificate? Unlike site owners, regular users find certification very useful. Sites protected by the HTTPS protocol guarantee the prevention of data theft entered by potential clients.

The risk factor in this case could only be viruses on the user's device or dishonesty of the site owner, who may subtly steal client data. Moreover, an SSL certificate is an indicator of the authenticity of a site, as phishing clones typically use the regular HTTP.
A commercial site owner should also remember that when trying to connect payment through some payment systems, the service requires a certificate, without which the transaction will not go through. According to trends, these requirements will soon become quite widespread and will be stipulated in the terms of almost all payment systems.

Can you skip buying an SSL certificate?

The biggest disadvantage of not having a certificate is probably that the trust of tech-savvy users will be lower. A user who cares about the security of their credit card data, when making a purchase, will prefer a store with an SSL certificate, because it is safer to leave personal data in such an online store.

What does Google think about this?

In 2014 Google officially announced that the presence of the HTTPS protocol would positively affect ranking, however in reality it turned out not to be the case. This factor was only considered in 1% of queries, and it was not a key factor.

In hope to increase the significance of certification for ranking webmasters actively converted sites from HTTP to HTTPS, but in 2017 Google confirmed, that the weight of sites with SSL certificates will not be increased.

However, the company decided not to bypass HTTPS and show loyalty, at least in its own browser. In Google Chrome, all sites without the HTTPS protocol that collect personal data are marked with a small exclamation mark, while sites with SSL certificates are highlighted in green in the address bar.

Also, in 2018, an update was introduced, resulting in all HTTP sites being declared unreliable through a noticeable icon. Although this innovation cannot be called large-scale, it should not be ignored, as more than half of users from Ukraine and other CIS countries use the Google browser.

Types, Features, and Differences of SSL Certificates

Let's consider the available SSL certificates in 2018. They are divided into subtypes by the method of verification and the domains certified.

Domain Validation

• Unified Communications. This certificate is usually used for all domains and / or servers.
  
• Wildcard SSL. This certificate is valid for both the main domain, and secondary subdomains (sub1.torgsoft.ua, sub2.torgsoft.ua, sub3.torgsoft.ua etc.) and sites on distributed servers.
  
• Single Certificate. This type of certificate is valid only for one domain, as specified when ordering. In this case subdomains of the site are not protected. For example, the domain torgsoft.ua will be protected, but its subdomains (sub.torgsoft.ua) won't.

Certificates by method of verification

• Domain Validation (DV) validates the domain. This domain-validated certificate assures the serving server. Simply put, it guarantees that the user will be making a purchase on the site they were trying to access. Despite this, for commercial operations, Domain Validation is considered only conditionally reliable, as it does not contain accurate information about the site owner. This certificate is usually used on sites where strict security guarantees are not a key factor.
  
• Organization Validation (OV) validates the domain and the organization. This company-validated certificate certifies not only the domain name but also the organization that owns the website. The company's authenticity is checked through several indicators. When issuing an HTTPS certificate, a legal entity must provide all necessary registration data to the provider. It is worth noting that OV certificates are currently the most popular among site owners.
  
• Extended Validation (EV) performs extended validation of the domain and organization. This thorough check ensures a high level of trust not only from users but also from other platforms.
  
• Extended Validation will be the optimal choice for sites that require strict confidentiality. This includes almost all websites associated with financial transactions. The key feature of this type of certificates is that this extended verification is not one-time, but periodic. This approach helps protect users from data manipulation by an untrustworthy site owner.

All the mentioned protocols ensure high-quality traffic encryption between the user's browser and the site. Moreover, they include additional options:

• SAN - domain validation by the specified list (to save costs you can get validation for multiple domains at once);
  
• WildCard - domain validation and its subdomains (for savings you can get validation for multiple subdomains at once).

How reliability of certificates has changed

When SSL certificates first started filling the internet, certification services carried out more serious checks, which necessarily included verifying company data. Much later, due to the commercial interests of both parties, Domain Validation appeared, which forced vendors to create simplified verification and issue certificates with minimal checks. In contrast to convenience and simplicity, this approach played into the hands of cybercriminals. Now, internet thieves take advantage of the little trust in the site's domain and carry out fraud since the browser does not warn users about potential data theft issues on the website.

In such situations, Extended Validation steps in. The presence of such a certificate indicates that both the site and the company have undergone deep validation. The browser confirms this by placing a Green Bar directly in the left part of the address bar, so users no longer need to conduct their own investigation and verify the authenticity of the domain or the site owner. It is noteworthy that all browsers and operating systems support this option.

How to safely switch to HTTPS

When switching to HTTPS you need to consider a number of requirements. The site owner needs to:

• consult with the SEO contractor to prevent losing rankings in search results;
  
• order the chosen type of SSL certificate from the hosting provider or certificate issuer;
  
• install the certificate on the server;
  
• configure the admin panel to work with HTTPS;
  
• replace non-secure HTTP links on all pages that use scripts, media, counters, and consultants (otherwise, even with a certificate, the pages will be considered insecure);
  
• replace the address in technical files like robots.txt and sitemap.xml, as well as in 301 redirects.

Before obtaining or buying an SSL certificate, we recommend studying the information about the certification center and ensuring its reliability and responsibility, and to minimize the risk from switching, you need to strictly follow the instructions above.

To pay or not to pay?

Obtaining an SSL certificate for free
Free certificates can only be obtained with minimal verification. Such an SSL certificate validates only one domain, which opens direct access to the site for cybercriminals. Fraudsters easily make a copy (clone) of the original site, issue a new, personal certificate, and pose as the original site. Moreover, browsers often do not consider free DV certificates as high-quality and still warn the user about potential dangers during the connection.

If the site owner still does not want to go through a series of mandatory operations to obtain truly reliable protection, they can order a free certificate from one of the special organizations. Such organizations could be the popular Let's Encrypt or the hosting provider. We recommend obtaining a certificate from providers, as they allow you to order and configure the secure connection directly in the admin panel, which will take no more than 10 minutes for the site owner.

Buying an SSL certificate
Of course, paid certificates are much more reliable than their free counterparts. While a non-commercial site, which only collects logins and passwords, may suffice with Domain Validation, a site that cares about its reputation and the reliability of its online store cannot do without a thorough verification and a paid certificate.

In this case, Organization Validation is the necessary minimum. You can buy an OV SSL certificate from a certification service, for example, at www.ssl.com.ua/. To obtain such validation, a legal entity must send certified documents to the chosen service.

Large website owners with numerous subdomains may find it convenient to obtain Wildcard certificates, which eliminate the need to buy a separate certificate for each direction. Thus, Wildcard saves both time and money for entrepreneurs.

The most reliable certificate is Extended Validation with in-depth verification, but it is usually only ordered by very serious companies (banks, insurance organizations). This is because obtaining such a certificate requires a large set of documents, and its cost depends on the insurance and is several times higher than the price of Organization Validation.

How to verify the correctness of an SSL certificate

You can verify the SSL certificate on your site using specialized services. You can check whether the SSL certificate is installed correctly on the site by following this link:
https://www.ssllabs.com/ssltest/analyze.html

The number of green elements corresponds to the reliability of the site.

Sources:

https://surfingbird.ru/surf/pereezd-sajta-na-https-dostupno-ob-ssl-tls--8XFb6aFD9
https://aevrika.ru/blog/pereezd-sajta-na-https-dostupno-ob-ssl-tls-sertifikatah/
https://www.cossa.ru/trends/220711/
https://www.cossa.ru/trends/220704/