… even if you don’t take payments on your website.
As of 2017, I started suggesting (strongly) that all of my clients acquire an SSL certificate for their websites. This is a security feature that we used to only need for e-commerce sites, but has now become a non-negotiable component of your overall security.
What is SSL?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. SSL is what differentiates https sites from the standard http connection. Having this encrypted link ensures that data passing between your website and people’s browsers remains private.
(Note: Technically, SSL is now TLS, so if you hear someone use that term, they are correct!)
What does SSL do?
SSL lets users know that your website is authentic, and it boosts your ranking on all of the major search engines. Google actually rewards secure websites (sites with the https domain) and will rank your website higher in search results.
It’s also important if your site has forms. A SSL connection helps protect the information that your client shares with you via online forms. If someone did intercept the information, it would be encrypted and useless.
What doesn’t SSL do?
AN SSL certificate is not the end-all-be-all of website security. It doesn’t protect your site from being hacked, and people can still exploit software vulnerabilities or brute force your access controls (usernames and passwords).
It’s also important to remember that this only protects your client’s information while it is in transit. Encryption at rest is an entirely different animal. What you do with your client’s information once you have it in your possession is very important and is not protected by SSL.
While SSL is not the whole answer, it is a key component of your overall information security, and a pretty easy one to employ!
UPDATE: Google makes good on their promise.
As of July 2018, Google Chrome now marks all HTTP sites as “not secure.” If you neglect SSL, this warning will show up on every page of your site and is extremely good at deterring visitors. The Electronic Frontier Foundation explains that this push is helping us make an essential shift towards a more secure internet. According to the EFF, we are now at a point where users should be able to expect HTTPS by default.
Left: Hackers work from the bottom up and always go for the weakest link, exploiting the most obvious vulnerabilities first. SSL, software updates, and good password habits are just a few ways you can protect yourself and your customers. (photo courtesy of palleiko.io)