7 Myths About HTTPS and SSL Certificates You Shouldn’t Believe
SSL certificates allow websites to encrypt and secure traffic, but there are many misunderstandings about how it works. Let’s debunk them. About the author: Philip Bates (MakeUseOf) is a freelance writer. You can follow him on Twitter. MakeUseOf is a technology website, focused on bridging the connection between users, computers, devices and the Internet through education. Feature image courtesy of sarayut via Bigstockphoto.
Take a look at the URL for this article and you’ll see that it starts with https. That “s” at the end means the connection between your device and this site is secure.
On the web, secure connections are usually established using a secure sockets layer (SSL) certificate. These can be confusing, partly because there are many myths about them that you simply shouldn’t believe. Let’s debunk a few of the more common ones!
Myth 1: “Only E-Commerce Sites Need SSL”
You’ve probably heard that only sites requiring personal data need SSL certificates. It’s a fair assumption: after all, you should be trained by now to notice encryption on sites that request private information. It’s true that, when signing up and logging in, you definitely need to check the address bar reads “https”.
But encryption is vital for all sites, whether e-commerce or a small blog.
Firstly, Google defaults to a secure version of a site. Google Chrome users who visit a site which doesn’t have an SSL certificate will instead see a warning page. This will inform them that the page is not secure.
Secondly, those visiting via other browsers will consider you more trustworthy. Most users now know about checking for secure connections, so installing an SSL certificate is a sign that you take their privacy seriously.
In effect, you’re telling your audience that you’re a professional organization.
Myth 2: “SSL Won’t Affect Web Traffic”
If Google Chrome doesn’t fully load a web page, that site’s statistics will be affected—potentially quite drastically! Imagine how many people might see that their connection isn’t secure and immediately turn away.
The problem is, even when their data doesn’t seem at risk, people panic when they see security alerts. They picture themselves falling victim to hackers. Thankfully, most users prioritize their security over convenience. So if they can’t read your site, they’ll simply search for another one which offers similar information.
Furthermore, an SSL certificate is essential for SEO. It’s not just about keywords: Google ranks a page higher if it proves to implement decent security measures. Naturally, the nearer the top of search results, the more people will find your page.
Myth 3: “SSL Significantly Slows Page Loading”
Image Credit: jayneandd/ Flickr
With a potentially increased audience, your concern might be that an HTTPS address will slow down your site. Fortunately, encryption has no noticeable effect on the speed of your website.
That’s because, in most cases, HTTPS actually refers to HTTP/2, a revision on the standard HTTP protocol. It was designed to have a 50 percent reduction in page load time through compression of data and reduction of processes involved.
Here’s what you need to know: the web has been using HTTP since 1991. HTTP/2 is an upgrade to this with an eye on performance.
If you want proof, check out some of your favorite sites—the most popular ones (including social media like Facebook) have SSL certificates and look how fast they are!
Okay, so sometimes, speed will be affected, but it’s rare and negligible. We’re talking milliseconds. This is mainly down to server distances, which you typically can’t help. And cases of slowing down will get fewer and more far between as Certificate Authorities (CA) secretly switch to Transport Layer Security (TLS) instead.
Myth 4: “SSL Certificates Are Cutting Edge”
SSL certificates are great, but they’re not the most advanced form of encryption widely used on the internet. In fact, many CAs use TLS certificates instead.
TLS certificates are essentially the next stage in the life of HTTPS.
The successor has been around since 2008, fixing some of the minor vulnerabilities in SSL certificates. However, until recently, it’s mostly been used solely for sites that require payment details or manage your money. PayPal is perhaps the most notable example of a monetary site using TLS.
Fortunately, several exploits in SSL certificates means TLS has become more commonplace. In fact, many encryption services implement TLS instead of SSL certificates as default; the latter is more well-known so is frequently used without the client knowing the difference.
As long as your URL has HTTPS, most website visitors are content.
Myth 5: “SSL Certificates Are Expensive”
Image Credit: Ken Teegardin/ Flickr
Which organizations use TLS? Primary examples also disprove the myth that HTTPS is expensive.
Let’s Encrypt is a popular service because it’s effective and entirely free. Many big name companies support the idea, including Facebook, Yoast, Mozilla, the American Library Association, Server Pilot, and Google Chrome.
Alternatively, freemium software is available. Encryption Everywhere, created by security firm, Symantec, offers free SSL/TLS certificates, and you can pay for additional security features.
Admittedly, SSL certificates can be costly, but it largely depends on hosts. Sometimes, the host server doesn’t support third party encryption, i.e. they want you to use their own associated service so they can get extra cash from you. It’s a horrible tactic, especially when users are under pressure from Google.
You need to shop around. Don’t be scammed by your web host.
Myth 6: “SSL Certificates Encrypt All Data”
Image Credit: owlpacino/ Flickr
Let’s not rave about SSL certificates without pointing out that it’s not the be-all and end-all for security. Yes, data is encrypted—but only during transit. HTTPS means your connection is secure; it doesn’t mean the web server is secure.
Imagine it as a tunnel you’re driving through. The tunnel means your vehicle can’t come under attack from anything from above, below, or either side of you. However, problems can still occur once you reach your destination. You don’t know what lies ahead of you once your car comes to rest.
The same goes for data. It’s encrypted so you shouldn’t be a victim of a man-in-the-middle (MITM) attack while it’s transferring between networks. But once that data is static (i.e. stored on someone’s server), SSL certificates don’t mean much.
This is why HTTPS is now considered a basic security measure, something sites should have as standard. Further precautions are also needed!
Myth 7: “SSL Encryption Is Foolproof”
HTTPS offers a good level of encryption. You’ve probably heard a lot of good stuff about that. Still, myths persist about encryption. Notably, you should know that encryption doesn’t make something unhackable.
Companies just need to try their best: they need to look after personal information in the most secure ways possible. They have a responsibility to look after private details. The methods used to track passwords, however, show how ineffective encryption can be, depending on the form used to store them.
Even SSL certificates have been compromised—that’s what Heartbleed was all about, hitting headlines back in 2014.
Can you trust SSL/TLS certificates? Yes. Just remember: no security is absolute, and vulnerabilities are inevitable.
Make Sure You’re Using a Secure Web Browser
Don’t underestimate the importance of basic levels of safety online. SSL certificates are a vital part of your protection from cybercriminals.
Of course, you need support from a strong security suite too. Fortunately, mainstream browsers know the significance of keeping their users secure on the internet.