What Is SSL?
SSL stands for Secure Sockets Layer. It’s an important protocol for securing and authenticating data on the Internet. Because of movements like Encrypt All The Things and Google’s push for more widespread SSL adoption, SSL has been a popular topic in web circles. But despite that fact, many webmasters are still unsure how SSL works and why it’s important…or even what SSL stands for in the first place!
While we already covered what the acronym means, we’ll dig a little deeper in this entry and tell you what SSL is, as well as how it works to make the web a better place for both you and your website’s visitors.
How does SSL Work?
It’s a protocol used to encrypt and authenticate the data sent between an application (like your browser) and a web server. This leads to a more secure web for both you and the visitors to your website. SSL is closely tied to another acronym – TLS. TLS, short for Transport Layer Security, is the successor and more up-to-date version of the original SSL protocol.
Nowadays, SSL and TLS are often referred to as a group – e.g. SSL/TLS — or interchangeably. For example, Let’s Encrypt (which we’ll discuss more in a second) advertises offering “Free SSL/TLS Certificates.” But you’ll also find plenty of websites simply discussing SSL certificates, even when they actually mean TLS.
So where did SSL first come from and how did we get to where we are today with TLS? SSL version 1.0 was developed by Netscape in the early 1990s. But due to security flaws, it was never released to the public. The first public release of SSL was SSL 2.0 in February 1995. While it was an improvement over the unreleased SSL 1.0, SSL 2.0 also included its own set of security flaws, which led to a complete redesign and the subsequent release of SSL version 3.0 one year later.
SSL version 3.0 was the last public release and was eclipsed in 1999 when TLS was introduced as a replacement. At this point, SSL 3.0 is deprecated and no longer considered secure due to its vulnerability to the POODLE attack. As for TLS, it’s now on TLS 1.3, which offers a number of improvements to performance and security. Kinsta supports TLS 1.3 on all of our servers and our Kinsta CDN.
Why Aren’t We All Using TLS Certificates Then?
You likely are. Though the web community generally refers to them as SSL certificates out of convenience, certificates are not actually dependent on the specific protocol in their name. Instead, the actual protocol that is used is determined by your server. Which means that even if you think you installed something called an SSL certificate, you’re likely actually using the more up-to-date and secure TLS protocol.
Until the web community adopts the TLS terminology, though, you’ll likely continue to see such certificates most often called SSL certificates for simplicity’s sake.
How Are HTTPS And SSL Connected?
The people who built the Internet love their acronyms – another term that you’ll commonly see discussed when talking about SSL/TLS is HTTPS. HTTP (without the S) stands for Hypertext Transfer Protocol.
HTTP and its successor HTTP/2 are both application protocols that underpin how information is transferred around the Internet. They’re essentially the foundation for data communication on the Internet. When you add back the S, it simply becomes Hypertext Transfer Protocol Secure (or HTTP over TLS or HTTP over SSL).
Essentially, SSL/TLS secures the information that is sent and received over HTTP. This has a number of benefits.
What Are The Benefits of Using SSL/TLS?
Many webmasters operate under the false assumption that SSL/TLS only offers benefits to sites that process sensitive information like credit cards or banking details. And while SSL/TLS certainly is essential to those sites, its benefits are by no means limited to those areas.
One of the main benefits of SSL/TLS is encryption. Whenever you or your users enter information at your site, that data passes through multiple touchpoints before it reaches its final destination. Without SSL/TLS, this data gets sent as plain text and malicious actors can eavesdrop or alter this data. SSL/TLS offers point-to-point protection to ensure that the data is secure during transport. Even a WordPress login page should be encrypted! If an SSL certificate is present but isn’t valid, your visitors may be faced with the “your connection is not private” error.
Another key benefit is authentication. A working SSL/TLS connection ensures that data is being sent to and received from the correct server, rather than a malicious “man in the middle.” That is, it helps to prevent malicious actors from falsely impersonating a site.
The third core benefit of SSL/TLS is data integrity. SSL/TLS connections ensure that there’s no loss or alteration of data during transport by including a message authentication code, or MAC. This ensures that the data that gets sent is received without any changes or malicious alterations.
Beyond encryption, authenticity, and integrity, there are also other less technical benefits like:
- The potential for improved rankings in Google organic search
- Improved trust with visitors
How Can You Tell If A Website Is Using SSL/HTTPS?
The easiest way to see if a website is using SSL/TLS is to look at your browser. Most browsers mark secure connections with a green padlock and/or a message. For example, in Google Chrome, you can look for a green padlock and the Secure message:
While in Firefox, you’ll only see a green padlock:
In Microsoft Edge, you actually don’t see a color, but rather a simple grey and white padlock.
Is Google Going to Penalize Sites That Don’t Use SSL?
Recently, Google has been rolling out an increasingly severe set of penalties/warnings in Google Chrome for sites that fail to install SSL certificates. These penalties started in January 2017 with the introduction of a Not secure warning on pages that asked for credit card details or passwords without an SSL certificate:
That change was the first nudge in Google’s push to increase SSL and HTTPS usage. But recently, they’ve ramped things up even further.
Increased Not Secure Warnings in October 2017
In October 2017, Google rolled out even more aggressive notifications. Starting with Chrome 62 (released October 17, 2017), Google added the Not secure warning to:
- All HTTP pages where users enter any type of data, including something as simple as a search box. The warning will not appear on the initial page load, but will appear any time a user starts entering data into a field
- All HTTP pages in Chrome Incognito Mode
Google Is Only Going To Get More Aggressive
Google’s long-term plan is to eventually mark all HTTP pages as Not secure. That means even if you don’t ask users to fill out any type of form fields, you’ll eventually be caught by the warning no matter what. For that reason, it’s important that you start planning to make the move to SSL/TLS and HTTPS now.
In 2020, Chrome started displaying ERR_SSL_OBSOLETE_VERSION warning notifications when sites use TLS 1.0 or TLS 1.1 (legacy versions).
How to Install An SSL Certificate On Your Site
Many hosts make it easy to install a free SSL/TLS certificate. Here at Kinsta, all verified domains are automatically protected by our Cloudflare integration, which includes free SSL certificates with wildcard support. Other hosts may use a service called Let’s Encrypt, which offers free SSL/TLS certificates. You can view a full list of hosts that support Let’s Encrypt here.
If your host doesn’t offer free SSL certificates, or if you want a different type of SSL certificate, you can also purchase your own certificate from a third-party provider.
You can read this guide for instructions on how to add an SSL certificate to your site at Kinsta. You can do it with a single click!
What to Do After Installing an SSL Certificate
Yes – there are both technical and non-technical actions you need to perform after installing an SSL certificate. First, on a technical level, it’s important that you redirect all HTTP traffic to HTTPS. You should also ensure that you aren’t loading any assets via HTTP. Usually, this will be your own images or external content you pull in, like scripts or external ad services. This helps you avoid the Mixed Content Warning.
Beyond those two technical details, you’ll also likely want to perform the following tasks, depending on the tools that you use:
- Add the HTTPS version of your site in Google Webmaster tools.
- Make sure tracking scripts like Google Analytics or others are set up to work with HTTPS.
- Make sure you are not getting any SSL connection-related error messages.
All in all, SSL/TLS is an important protocol for creating a safe, secure web. And now that you know how SSL works, if you haven’t made the switch already, we encourage you to consider installing an SSL/TLS certificate and moving your site to HTTPS.
We have a very detailed HTTP to HTTPS migration guide make sure you read it and follow the steps!