Should you add a security certificate?

by | January 5th, 2015

Recent announcements from Google and articles on search engine optimization (SEO) sites may have you considering a security certificate for your website. But is added security truly necessary if users are not submitting private information?

We already know that PCI compliance requires a security certificate if you are handling payment card data on your site. But Google’s plans involve adding an SSL (Secure Sockets Layer) to any site, eCommerce or not.

SSL is a standard in security technology. It used to make an encrypted link between a server and a client. In most cases, the link is between a website and a user’s browser.

pad lock representing added site security

Google’s security certificate fixation

In an effort to protect their users, Google is calling for “HTTPS Everywhere” on the web.

Their goal seems to prevent a malicious middle man from getting to users computers when visiting sites. But these security defenses are not quite as simple as flipping a switch. They require the set up and purchase of an SSL certificate, and annual upkeep.

So, should you add SSL to your site?

One initial reaction might be, “Yes, immediately!” That is because Google is giving a small ranking preference to sites with this feature. And right now, the weight attributed by Google is small, but who is to say when that might change? Any ranking preference helps, especially with the algorithm for rankings is a secret, ever-moving target.

However, you may wish to wait to make changes to your security certificates when you’re setting up a new hosting agreement/environment. adding SSL is not necessarily a decision that should be made in a hurry.

One reason is that for sites that share a public IP, SSL can become very costly. UCC/SAN certificates (with more than one applicable domain) start in the hundreds of dollars. You cannot have more than one SSL certificate on a single public IP, because of the way the SSL protocol is designed. It requires making a handshake with the server (or load balancer) before exchanging domain request information, which means if the domain doesn’t match the certificate you will get a big red certificate error.

Additionally, registration of all domains on each public IP must happen at at the same time. Due to the ever-decreasing availability of IP space on the public internet, this is cumbersome for all parties involved. It is infeasible to give each client their own dedicated IP address. 

Another reason to take your time is that SSL does not inherently make the site more secure – all it does is protect the specific data being sent between client and server. Adding SSL does not benefit you if the server does not have:

  • A secure area which requires a login
  • Protected forms
  • Private data

The reason it does not help is that encrypting data that is already public does not add value.

www as a symbol for browsers

Plus, not all browsers are capable of handling all SSL requests. Often certificates that are 2048-bit or higher fail on older browsers. Slower computers will also take longer to process the certificate and un-encrypt the transmitted information (however, this is negligible for most modern computers). Nonetheless, this consideration should be made for your site. Examining analytics could help you decide: if the majority of your visitors are using older browsers, you may decide to hold off.

I want it I want it I want it! Now what?

You’ll need to add SSL to your hosting contract, whether that is with PINT or another hosting provider. PINT typically purchases a blank certificate on behalf of the client, and submits a CSR (certificate signing request) CSR to our registrar. If we control the domain on behalf of the client, we approve the request ourselves otherwise the client must approve the CSR request. Once the request is approved, we download and install the certificate on the server, load balancer, and/or firewall. Installation all depends on which of these the client uses.

vault for security lock down

Security Best Practices

Why not lock down some basic security measures related to your site, while you’re at it?

  • Updates/patches
    Patches should be kept up-to-date throughout the year: especially for those that address high severity vulnerabilities. If you haven’t applied any critical patches, do so now.
  • Password security
    Some systems force you to change your password every few weeks or months. For those that don’t, use this as a time to set up some new secure passwords for your accounts. Be sure not to use the same password across sites that store sensitive data.
  • Security audit  and inventory
    Perform a basic security audit and make sure you have a thorough understanding of your systems and what normal operations look like. This will make it easier to spot something unusual when a hack occurs.
  • Consider consulting a pro
    Sites and applications that store sensitive data (social security numbers, addresses, etc) are more prone to being the target of a hacker, and thus need to receive extra attention for securing vulnerabilities. While automated security scanners and self-evaluations are convenient for finding known vulnerabilities, they don’t compare to what a well-trained security expert can find during an audit.

SSL certificate conclusions

SSL certificates are a necessity for sites that must adhere to PCI compliance guidelines, but are becoming more prevalent for sites transferring public information as well. While some people may think applying HTTPS to a site’s URL is an easy way to gain search engine rankings, the decision is actually more nuanced. When adding SSL, it is best to consider the registration of your domain, your hosting situation, and your overall web ecosystem.

  • Dmitriy

    In my humble opinion, SSL should be only used for sites transmitting the personal info. The cost of the SSL not only in the licence itself, but in lowering request/response speed and dealing with an inconvenience of accepting mixed content on every page you visit.

  • Merrily Chopp

    The cost is not insignificant!

  • Dmitriy

    it all bottles down to cost vs. benefits and when i said cost i don’t only imply the cost of purchasing but also the cost of installation and configuration: it has to be done on the hosting site by the hosting company so you pay here and there to implement and to maintain and don’t forget to renew. YOu must ensure Google indexing and red-screen avoidance, and if your page has any 3rd plugins, those may fail to load breaking the page. Now add possible browser incapatability to it and that is the soup you are about to be served. That does not mean you should avoid, but rather to think if it is worth the trouble. Again, that my 2 cents, but I am sure there are handful number of people who’d disagree.