What is an SSL certificate?
In short, an SSL certificate is a digital authentication certificate which provides a site with HTTPS encryption. This certificate is then used to verify the legitimacy of a website and will allow that website to display to its users that it is trustworthy, as well as providing those same users with HTTPS-level encryption, further protecting non-sensitive information, names, passwords and banking details.
The benefits of HTTPS level encryption include:
- Providing security for users from man-in-the-middle attacks and protecting the user’s data, in line with GDPR
- Increase in organic rankings, based on additional trust signals
- Displaying a padlock next to the site’s URL as a visual clue to users informing them that encryption is active on the site
How does an SSL certificate benefit SEO?
With search engines pushing towards a more secure web, websites with HTTPS level encryption (as opposed to HTTP) can see positive effects when it comes to rankings.
Sites will also receive warnings if any resources used on the site are not HTTPS encrypted, this is called mixed content warning. A few months ago we released a post detailing how Google Chrome has cracked down on mixed content, along with how this should be treated. Resources that have been targeted by Google Chrome include:
- Audio, video, and image files
Ensuring all these resources are served using HTTPS encryption will safeguard the site from being negatively impacted by “insecure site” warnings.
If an SSL certificate fails or is invalid, browsers such as Google Chrome will display a warning that the user’s connection is not private. This warning is much more severe than the “mixed content” warning and will need to be resolved as soon as possible.
How to get an SSL certificate?
For most sites, SSL certificates are provided as part of a web hosting subscription, such as SiteGround, BlueHost and Host Gator. Although these SSL certificates will usually be low-level, domain validated SSL certificates, suitable for sites that don’t receive a high amount of traffic and require minimal encryption.
There are many types of SSL certificates that will be suitable in different scenarios and can be split into 3 main types:
Domain Validated Certificates (DV)
Perfect for SMEs and offers minimal encryption, these are also the cheapest certificates that don’t require verification of the site owner’s information. Domain validated certificates provide just enough encryption for browsers to display the HTTPS padlock within the address bar.
Organisation Validated Certificates (OV)
A tier up from domain validated certificates, organisation validated certificates provide an extra level of trustworthiness and involves a manual investigation to take place on the information of the organisation applying for the SSL certificate. This certificate is ideal for sites that use customer login information (excluding payment specific information).
Extended Certificates (EV)
These offer the highest level of encryption and also require the highest level of validation. Extended certificates are recommended for sites that require sensitive customer information, such as payment card information for ecommerce sites.
Each of these certificates will provide sites with a padlock within the address bar, however will provide users with a varied amount of security for users.
How much is an SSL certificate?
Prices for SSL certificates can vary depending on level of encryption, level of verification and added benefits provided as part of the service. Splitting prices into the 3 types mentioned in the “How to get an SSL certificate?” segment, these can fit into the following price margins (pricing is approximate):
|SSL Certificate Type||Price Point||Approximate Cost|
|Domain Validated (DV)||£||£5-£150/yr|
|Organisation Validated (OV)||££||£15-£1,000/yr|
|Extended Certificate (EV)||£££||£50-£2,300/yr|
What is the recommended validity length of an SSL certificate?
With a bill being passed on 1st March 2018 reducing the maximum validity length of DV and OV SSL certificates from 39 months to 825 days (around 27 months), EV SSL certificates are already limited to a maximum lifetime of 27 months, and 13 months for validity information. So, what is the recommended length of a SSL certificate’s validity across browsers? And is it better to have a longer or shorter validity time?
To answer the latter question, a shorter validity time on an SSL certificate can be seen to provide a higher amount of security as authenticity checks will need to be performed more often.
In regards to the recommended validity length of an SSL certificate, Apple have placed themselves at the front of this conversation by announcing that as of 1st September 2020, they will be setting a hard trust limit of 398 days, as opposed to the current acceptable duration of 825 days. This means that any certificates issued after this date for longer than 398 days will not be trusted by Apple products. Google have also been seen to show some interest in shortening their trust limit to around one year, although nothing has been passed as of yet.
With trust limits currently sat at 825 days across all browsers until 1st September 2020, any certificates purchased before this date can be valid for up the full 825 days and be trusted across all browsers. For certificates purchased after 1st September 2020, we would recommend ensuring that validity lengths are kept under 398 days, in order to keep within Apple’s (and all other browsers) trust limit.
by Zack Cornick