Joel: Hello everyone and welcome to another episode of the Marketing Unleashed Podcast. Today, we’re going to be talking about SSL certificates and why they’re important. SSL certificates, whenever we’re talking about those, we’re talking about websites specifically. With me, I have a Nathan. Now, Nathan, kind of-
Nathan: Hey, Joel.
Joel: Sorry. Kind of give a quick description of what an SSL certificate is, like what does it stand for and why we would even want them on a website.
Nathan: Well, SSL stands for secure socket layer. As soon as I said the definition of what SSL stands for, you can completely forget it. What’s important to understand is what it does, which is it verifies your identity. There’s actually a company… Whenever you get us an SSL certificate, there’s a company that researches you and verifies that you’re a real company, that you are who you say you are. They’ve got contact information for you. If there’s an issue on your website or something like that, that there’s a real person out there, phone numbers, emails, addresses, so they can get a hold of you.
Nathan: But the real purpose, the original purpose of an SSL certificate is to encrypt the information traveling between your website server and the person’s home computer or phone or whatever that they’re accessing it on. That is the original purpose. It’s sort of got other purposes now in addition to that encryption purpose, but initially that was the main purpose of an SSL certificate was to encrypt the information that’s going from your home computer to the server where the website that you’re visiting is stored. Most people don’t know this, but basically when you’re going to a website, it’s not just like a connection between your single computer and a server out there.
Nathan: The connection is actually handed off between multiple pieces of equipment, internet routers, other servers. They pass that information along. At each step of that process as the information is being passed along, there’s a network connection there. Anybody who kind of knows what they’re doing can get into that network connection and look at all the information that you’re transmitting back and forth. The SSL certificate prevents that. It encrypts everything on your computer and then sends it. When it hits the server, the server’s able to decrypt that. Anybody in between, all they’re going to get is garbage.
Nathan: If they tried to look at what you’re sending, they’re not going to be able to get things like your credit card or anything else that you might be sending to the server. That’s kind of the original purpose. Why certificates were created in the first place was to create security around the information that you’re passing back and forth.
Joel: Within the last year or so or it might have been sooner than that, Google announced that if you don’t have an SSL certificate in their search results, they’re actually going to note that your website may not be secure.
Nathan: Well, there’s a couple of things that went on there. Actually since 2014, Google has favored websites that have the secure certificate, the SSL certificate, on their search results. Going all the way back to 2014, Google has given you basically a boost in search engine ranking if your website was secure. That goes all the way back to 2014. I think throughout the years since then, they’ve only increased that. The more recent times you get even bigger bonus maybe than you would have originally gotten in 2014 just because of all the privacy issues and everything else that’s been going around.
Nathan: But I think probably what you’re referring to is in 2018 Google announced that on their browser, if you use Chrome, which is a Google product, if you use Chrome, they’re going to put a not secure message in the browser window. If you’re on a website and they’re not using a secure certificate, it will say not secure right next to the name of the website at the top of your browser window, which is kind of a bad look if you’re a business to have something in the corner saying not secure. A lot of companies since that sort of came out have sort of been rushing to secure their websites. It’s really helped, to be honest with you.
Nathan: The amount of websites that are using encryption nowadays has increased dramatically since those two changes that Google made just because people don’t want to be known as not secure for a good reason, even websites that don’t necessarily needed to protect any information. Maybe you’re not doing any sales or submitting any forms or anything like that on your website, it’s just purely informational, those sites are using encryption certificates now too just for the fact that they want better search engine rankings. They don’t want to be known as not secure when someone sees them on their browser.
Joel: Let’s talk a little bit about brand trust in that way because whenever you see that, oh, the site’s not secure, I mean, that can ultimately raise a red flag and be like, well, should I trust anything on this website? There’s not an extra layer of protection. Some websites you don’t input any information. They don’t ask for an email. They don’t ask for any kind of credit card information. There’s no transaction going on there.
Nathan: Right. Actually people don’t usually do this, but whenever you have an encrypted website, there’s a little lock usually in the browser window. You can click on that and it’ll tell you information about the company. It’ll tell you who they really are. It can really work to establish trust because in today’s marketplace, people do knock off products all the time. People are familiar with emails that are spam emails that are trying to get your information and people are faking it to look like a credit card company or something like that. People are familiar enough now with how websites and web identities can be faked that the secure certificate shows people that you’re real. It establishes that identity.
Nathan: It’s not just some joke thing because you have to pay for that, and it’s basically like a background check. Someone is going to go out there and verify that you are a legitimate company. You are are really registered company, and you have a real address, real phone number, real email address where people can contact you. People can’t hide. If they’re a knock off, I can’t get a secure certificate saying I’m Coca-Cola. They wouldn’t do that. They’re not going to be able to verify that. If you go to a website and you look at the certificate and it says Coca-Cola Company, then you know that that’s legitimate. I mean, that’s a huge bonus especially when you’re talking e-commerce.
Nathan: If you’re going to be shopping with a company, you want to make sure you know who they are in case you have a problem. You want to know that there’s somebody I can contact. You want to know it’s a legitimate business and not just some guy selling knock off products out of his garage. The certificate gives you that.
Joel: Right. There’s SSL and then there’s HTTPS. Now, is there a difference between them?
Nathan: Yeah. The SSL certificate is essentially like a document that you install on your server that allows you to use HTTPS. The S just means that it’s secure. It’s encrypted communication. If you see HTTPS, the only way for that to work is to have a certificate installed on the website server where your website is hosted. If you’re a website owner and you’re going to get a secure certificate, then that’s something that you have to know. The certificate piece is one thing. You have to get that installed. Then what you have to do once it’s installed is you have to change your website so that it’s using HTTPS instead of HTTP. You could still use an insecure website if you wanted to.
Nathan: You could have a secure certificate and still use HTTP, but that’s kind of dumb because you paid money and gone through all the headaches of getting the certificate. What you usually have to do, in our case, a lot of times we’ll get a secure certificate for a website is you have to go through and just kind of make sure that all the content is being securely delivered. For example, if someone put an image on your website, they might have used an insecure path, so HTTP, whenever they put the address of that image. Well, you’d actually have to go in and change that to HTTPS or you’re not going to get the lock on your browser.
Nathan: HTTPS is sort of the protocol that’s being used to transmit the internet data back and forth and actually they use different ports. If you’re using HTTP, I believe that’s port 80. If you’re using HTTPS, I can’t remember what that one is. It’s like 221 or something like that. It’s a different port where the communication is happening back and forth. But basically HTTPS just means, hey, I’ve gotten a certificate and it’s on my server, so now all my content is going to be delivered securely.
Joel: Okay. Basically the SSL is the protection document and then the HTTPS kind of shows you that the content on the website is secure and what you’re browsing is secure. Correct?
Nathan: Yeah. To further explain, the SSL certificate itself has what’s basically an encryption key. It’s got a long stream of just numbers and letters and garbage and they use that key to encrypt your content. Like for example, you might have like a credit card number and you would throw your credit card number through an algorithm against that key that comes with your SSL and it would change everything. Instead of being just your 16 digit credit card number, it would now be maybe 250 digits long. It would just be all jumbled up. You wouldn’t be able to get the actual information out. Then whenever you go up to the server end of it, the server has the other piece.
Nathan: There’s a public piece that you’re able to use as the end user and then there’s a private piece that you install on your server through the certificate and that allows the server to decrypt the content. Now it’s got the key on the other side and it can say, okay, I’m going to apply the algorithm using my key and now I can see the actual credit card number on the server and use that to pay.
Joel: Okay. Now, if somebody is listening and they don’t use a Chrome browser, how would they find out if their site is secure or not?
Nathan: All the browsers, all modern browsers nowadays have the lock. If you’re on a browser or you’re on a website and you have a question whether it’s secure, if you look next to where the URL is of the website, the address of the website, there’s a lock on there somewhere. Some put it on the left side, some put it on the right side, but it’s there in the browser, where you can click on that lock and then the lock will give you information about the certificate. Just another side note about these certificates is they expire. You have to continue to verify that you’re a legitimate company going forward. It’s not a one-time thing where you just get it and walk away. Now you’ve got it forever.
Nathan: You have to continue to renew those certificates over time or they expire and then you will be forced back to HTTP traffic instead of HTTPS. It causes a real nasty error message to come up on your browser. When you go to a website that’s trying to use HTTPS to look secure if they’re really not, then you get a big warning message that pops up that says, “This website certificate is invalid,” or something along those lines, which would basically destroy your business if you were doing eCommerce kind of left that there for a long period of time. People aren’t going to continue past that message and buy your products when they see something like that.
Joel: Right. Now, are there different types of a SSL certificates?
Nathan: Yeah, there are. There’s kind of a lot of details around it. There’s called a wildcard certificate. A wildcard certificate allows you to use multiple paths. Instead of just www dot and without the www, you can use other things like info dot and whatever you want really. That’s where the wildcard comes in. You can pretty much put anything in front of it. You could have an intranet at your company, so intranet.yellowdogllc.com and www. As long as they’re on the same domain, you can encrypt them all with a wildcard certificate. Now, there’s other versions and there’s a lot of different… It depends kind of on the company that’s doing the verification process.
Nathan: That’s sort of a side path we can get into if you want. There’s a story where a company who issued these certificates did some things that were sort of shady business practices and Google found out about it and they basically delisted them. This happened a couple of years ago, but if you had a certificate that was issued by that company, Google took it away. Basically started saying that your website was insecure because of the company that verified you was insecure.
Joel: Was that company a big one or kind of a smaller one?
Nathan: I think a lot of third parties used them, so it was cheap. That was probably one of the reasons they were cheap is because they cut corners and that’s where they got in trouble. Most of the time now you can buy a certificate for I would say between $100 and $300 a year. Some of them are better than others. Some of them kind of give a more detailed background check. They give you sort of extra benefits for that reason. In the certificate itself, it used to say… In some cases, it would say the company name next to your certificate ID. I’ve seen it do different things. It kind of depends on the company that’s issuing the certificate, and it depends on the browser that you’re using.
Nathan: But there are different ones and some of them are very expensive. Some of them can be a couple thousand dollars per year to renew.
Joel: Like GoDaddy or like 1&1, some of these shared hosting services, they offer SSL certificates for a lot lower than $100 a year.
Nathan: Not much. I mean, usually they might give you… I think the last time I looked at one from GoDaddy, the cheapest one I could find was like 50 or 60 bucks, but that was an intro offer. If you look at the next year when you have to renew, it goes back up to about a hundred bucks.
Nathan: They’re just trying to kind of get you started. They’re probably eating part of the cost of that. Maybe the first year they’re not making any profit. Just assuming that your business is going to continue and they’ll make their profit up in later years.
Joel: Right. Talking about like GoDaddy, whenever you buy an SSL certificate through them, through their interface, is it GoDaddy that’s actually doing the verification or does GoDaddy contract out?
Nathan: No. There’s only a handful of companies that do this and they are all… Everybody’s using these handful of companies, so there might be… I don’t know the exact number, but let’s just say five. All of these hosting companies like Bluehost and HostGator and 1&1 and GoDaddy and Wix and everybody is using them. Now, there’s another side note. You can get a self-issued certificate to encrypt traffic. That’s typically used for like internal things. I can go on my server now and I can issue myself a certificate. I’m basically verifying that I am who I am to myself. There’s no third party verification. But because of that, it limits you on what you can do and you could not use that on a website.
Nathan: That certificate has to come through a third party verification system, like I said, one of these five companies, in order to be used on a public scale.
Joel: Right. Okay. Now, we use Rackspace for hosting, which is dedicated hosting.
Joel: Rackspace, that’s a very secure way of hosting websites, correct?
Nathan: That’s correct. Yeah, they have very secure website hosting. The company that we use through them, that’s their third party verification system, is called Thawte, T-H-A-W-T-E. They are the ones who verify all of our website certificates that we buy.
Joel: Right. Okay. Now, other than calling us or going to our website at yellowdogllc.com, how would somebody make their site secure with an SSL certificate?
Nathan: If you’re doing shared hosting, so say you’re just kind of getting started, if you buy… A lot of times they’ll have e-commerce packages and things like that that’ll come with the certificate. A lot of companies do that. I know GoDaddy I think has one of those. There’s probably some on like Wix. If you subscribe to one of those sort of eCommerce platforms where they host the website for you, theirs are usually encrypted as part of the package deal. They do that. Now, one thing I would say if you’re looking to do encryption, you have to have certain email addresses set up. Like for example, there’s a list of like five or six email addresses that you have to have one of those available.
Nathan: It’s like admin at your domain or webmaster at your domain or something like that, a common email address that’s used to handle requests on your website. Those email addresses have to be set up and available because they will contact you and you have to provide a working phone number that someone actually will answer and verify information about you because they will do that. If you don’t answer or don’t have those email addresses set up, then you can’t get a certificate. They’ll call you. They’ll email you. Then eventually if no one answers, no one responds, then they just give up and you just wasted your money on the certificate.
Joel: Right. Now, whenever we’re talking about mobile web browsing or even apps, how do SSL certificates and the security aspect, does it just transfer over? No, no, obviously not with apps, but with mobile browsing.
Nathan: Yeah, it’s the same way. The certificate encrypts all traffic to and from that domain. All the traffic would be encrypted. If you’re using an app say for example that has a web backend, which we’ve built before, then you can encrypt that traffic back and forth. The traffic between your app and whatever you’re serving up your content for your app from is encrypted. A lot of times these are used for other things. It’s used in software development too. If you’ve got software that’s going to be communicating over the web or whatever, they could be used for those things too, not just for a website.
Joel: Okay. For example, like QuickBooks, we use QuickBooks, which is obviously a… We’d want to keep that. We use desktop apps through Mac for QuickBooks, so that probably has some type of security certificate attached to it, right?
Nathan: Absolutely would, yes. Behind the scenes, even though you’re using a desktop app, it’s probably communicating in a similar fashion. It just hides that from you. You don’t see a web browser, but it’s really… I mean, it’s sending the traffic over the internet to a web server somewhere to collect your information.
Joel: Right. Yeah, yeah, definitely. From the interface, it just makes it look like its own little dedicated browser.
Nathan: Right. Right.
Joel: All right. Well, hey, I guess we should summarize that pretty much if you don’t know if your website is secure, definitely you can contact us. We can help you out with that. If your website is not secure, then it’s definitely a good idea, whether if you’re transmitting information or not, collecting information. It’s rare that websites don’t collect at least an email address for email list or whatever that may be. But it is important to secure your website for, at the very least, search engine, a little search engine advantage, correct?
Nathan: That’s right. That’s right. It’s going to give you a boost. All things being equal, if you and a competitor and you have a secure certificate, you will rank higher than they will.
Joel: Right. All right. Nathan, you got anything else about SSL certificates?
Nathan: No, that’s pretty much it. I would say if you’ve got more questions about it, definitely contact us and we can be happy to take a look at your site now and kind of give you some ideas of what it’s going to take to get SSL compliant. It’s not as simple sometimes as people think, where if you just install the certificate, now everything’s secure. It doesn’t usually work out that easily. What winds up happening is people use… I don’t want to get too far in the weeds, but people use the exact URL address for images or links or things like that and you have to go back through your website and update those to make sure that they are using HTTPS. Otherwise, you never get the lock.
Nathan: We’ve had issues before where people said, “Hey, you know, I bought a certificate and I got it installed, but I still don’t see the lock on my website, or I see error messages that come up in the developer tools that say your website’s not secure.” The reason for that is they haven’t updated the content of their website to make sure that it’s using the HTTPS path instead of just HTTP. It can be a little complicated. If you’ve got more questions, feel free to get in touch with us at yellowdogllc.com and we can clear that up for you.
Joel: Yeah, definitely. Especially if you’re selling things on your website, we’re headed right into the holiday shopping season, you definitely want to make sure that you’re not losing any sales or any potential leads because you don’t have a secure website.
Nathan: Oh, absolutely. Do not shop on a website that doesn’t have a secure certificate. Just don’t do it.
Joel: Right. All right, well, I guess we’ll be right back with can’t let it go.