How to Win Business and Trust with SSL
February 3, 2015 | David Henzel
Following worldwide debates on digital surveillance and fraud, consumers are now savvier about Internet security and cryptographic protocols like SSL. For this reason, delivering content through a secure layer is no longer a nice-to-have for businesses - it’s a must-have.
In the past, this really only applied to ecommerce sites, but it’s now becoming truth for all verticals. For instance, SSL is a huge issue in the adserving industry right now. Just recently Google’s head of media platform sales, Jay VanDerZee, announced that securing ads from malware with SSL is a company priority for Google in 2015.
“The ad impressions on a publisher site have to be wrapped in this layer [Secure Sockets Layer],” he told Beet.TV. “The actual creative file has to be wrapped [as well].”
So whether you’re an adserver, ecommerce site, mobile platform, or any other online business that serves customers, the information below is for you. Following are a few ways you can gain customer confidence and improve your bottom line with SSL.
Many websites take a piecemeal approach to encryption, where the only encrypted areas are those that exchange sensitive information like login screens.
Only encrypting areas where usernames and passwords are entered seems logical, but it falls flat considering how much of that information is transmitted after the secure connection is closed. Software like Firesheep highlights just how vulnerable this data is, especially when a user is browsing from an unsecured network.
The solution is to spread encryption throughout your entire website. Not only will you protect your customers when they input sensitive information, but they’ll remain protected as they continue to use the site. A few ways you can promote SSL across your website include:
- Redirecting links from HTTP to HTTPS
- Enabling HTTP Strict Transport Security (HSTS), which tells a user’s browser to prefer HTTPS over HTTP
- Using a CDN that offers free and dedicated SSL, as well as other external resources that support HTTPS like secure ad networks.
Let Em’ Know They’re Secure
When you’re taking action to protect your website, let it show. Phishing attacks reached a record high in 2014, and your online presence could hinge on being able to prove you’re the real deal.
Trust seals are small images displayed on your website that are verified by a certificate authority. Despite their controversial history, trust seals can have a huge impact on the way your customers see your site. A 2011 study shows that over 75% of users were influenced by trust seals.
The same study shows that 60% of users surveyed refused to make an online purchase from sites that were missing trust seals. Most certificate vendors provide trust seals for free, and placing one on a login page or checkout page is good practice.
Extended Validation Certificates
Like trust seals, Extended Validation (EV) certificates help your website’s security stand out better. There are a few ways EV certificates differ from regular SSL certificates:
- EV certificates undergo a more rigorous approval process, requiring proof of ownership for both the domain and the website.
- EV-secured websites highlight the URL in green and display the name of your organization next to the address bar.
Here's an example of how EV-secured websites are displayed in various browser bars:Photo credit: DigiCert
EV certificates spotlight websites that are fully trusted by certificate authorities, at the cost of being more expensive and requiring more proof of ownership. As a result, they’re typically used by websites that require a very high level of trust.
Screw Sacrifice. Get Rewarded for SSL.
Google made waves in the SEO community by announcing SSL as a ranking factor. Although the change currently affects less than 1% of all queries, the weight of the score may increase as Google moves to “keep everyone safe on the web.”
Balancing Speed and Security
There’s a common belief that improving security means sacrificing performance. Because time to first byte also factors into search engine rankings, security might seem like somewhat of a tradeoff. And although SSL does use some additional resources, consider this: When Google updated Gmail to default to HTTPS, their frontend servers only saw an increase in CPU usage of less than 1%, and an increase in network overhead of less than 2%.
Considering the slim margins and massive trust HTTPS attracts, this case study proves to be far from sacrifice.
One of the attempts to bridge the gap between speed and security is through SPDY, an open protocol that’s gaining popularity as the next iteration of HTTP. SPDY adds well-overdue optimizations to HTTP which, for some websites resulted in a 60% performance boost while using SSL for full security. As part of our commitment to open source, we partnered with Nginx and Automattic to include SPDY in the Nginx web server, bringing the next-generation web to over 140 million websites.
The Future of SSL
Where does the future of SSL stand? Well, new technologies are paving the way for easier, faster encryption.
Teams at OpenBSD and Google are looking for ways to beef up the security of OpenSSL, one of the most popular SSL implementations available. The LibreSSL and BoringSSL projects aim to address many of OpenSSL’s existing issues while adding new features.
Meanwhile, the Let’s Encrypt free certificate authority aims to simplify SSL by fully automating the domain validation process. Targeting a 2015 release, Let’s Encrypt promises free certificates that can be registered, installed, and revoked at the click of a button.
No matter where the privacy debate leads us, one thing’s for certain: Successful businesses are the ones that take smart approaches to protect their user’s data.