Do I Need An SSL Certificate For My Website?

Do I need an SSL Certificate Shopping Cart You’ve probably heard of encryption, or seen the green address bar of an EV SSL certificate, and wondered "Do I need an SSL certificate on my site?" The short answer: yes, if you are asking for any personal information from visitors.

Most online shoppers are very careful and want to know that their information is safe. Using an SSL certificate provides two important things:

Encryption of sensitive data like credit card numbers and personal information (name, address, username, password, etc.)
Some assurance to your customers that you are trustworthy (the process of getting an SSL certificate can't guarantee this, but it can make it more likely which is part of the reason why visitors have this perception)

These are very important benefits and, these days, nearly every website should have an SSL Certificate. To find out if you need an SSL certificate for your site, answer these questions:

Is my site an e-commerce site that collects credit card information?

For most e-commerce sites, you absolutely need an SSL certificate! As an online merchant, it is your responsibility to make sure the information you collect from your customers is protected. This will shield you and your customers by making sure that no one can intercept and misuse their credit card information.

Your customers are providing you with very important and personal information that allows access to their hard earned money. If an identity thief gets access to your customer’s credit card information because you didn’t take the necessary precautions, it can be devastating to you and to your customer. Your customers need to know that you value their security and privacy and are serious about protecting their information. More and more customers are becoming savvy online shoppers and won’t buy from you if you don’t have an SSL certificate installed.

If you accept credit card information and store it in a database so you can process it using an offline POS machine or charge it manually on your merchant account’s website, then you definitely need an SSL certificate to secure the credit card data as it is transferred. You also need to be very careful with the data when it is stored on your servers. Learn more about PCI Compliance and SSL and the requirements of protecting stored credit card information.

Do I use a 3rd party payment processor?

If your e-commerce site forwards your visitors to a 3rd party payment processor (like PayPal) to enter the credit card information, they will encrypt the information but you will still want an SSL Certificate to protect login information and to look more trustworthy.

Do I have a login form?

If your users enter a username and password to login to your site without an SSL certificate, an attacker can easily see their username and password in clear text. This would allow someone else to impersonate your visitor, but it allows for a far more dangerous possibility: Because users often use the same password on many sites (including their bank accounts), an attacker can potentially compromise many other accounts. If you let people store a password with you, you must take responsibility for protecting it, even if the security of your own site isn't critical.

Mandy login forms are still vulnerable but yours shouldn't be. If you want to forego the SSL certificate without having to worry about securing the login information, you can also use OpenID, Facebook Connect, or another technology that lets users log in on a another site and return to your site. But you will probably want to get an SSL Certificate any way so users trust your site more. Learn more about creating a secure login form.

Do I need my own SSL certificate or can I use a shared SSL certificate?

Many hosting providers will include a shared SSL certificate that you can use instead of buying your own. As long as it doesn’t give any errors on your site, this will be great for securing login information or other sensitive information. However, a shared SSL certificate doesn’t provide as much assurance to your visitors because it doesn’t include your organization or website name in it and may display a warning.

In summary, if your website is a collection of pictures of your goldfish Rudy and doesn’t require visitors to log in, you probably don't need SSL. If you have a login form or handle personal information or just want to look more trustworthy, then you need SSL. If you run an e-commerce website where people provide you with credit card information directly on your site, you absolutely need SSL.

Do I want to look at trustworthy as possible?

While the main purpose of SSL is encrypting information, it also increases how trustworthy your site looks because of the many web browser indications. Google has also said that having an SSL Certificate may increase your PageRank so you're more likely to show up in their search results.

Where do I purchase an SSL certificate?

How do you know what type of certificate to purchase? Which SSL provider should you buy from? You can find the answers to all your questions about buying an SSL Certificate in the SSL FAQ or by using the SSL Wizard to compare SSL.

Originally posted on Sat Mar 6, 2010

Comments

Shah(2014-12-13)
Thanks
Joseph A'Deo(2014-12-13)
Thanks for this great note about SSL. I work for VeriSign so I'm hyper-aware of the need that most businesses have and may or may not recognize for encryption. There are other options though, for websites that can't afford a full extended validation ssl cert but still want protection - for example, setting up a checkout account with google or paypal encrypts you automatically, and then all you really need is an authentication and malware scanning product (like the VeriSign Trust Seal, for example, which was developed specifically for sites that don't need ssl). But one way or the other, all sites need protection, and ssl is one of the sturdiest forms out there.
arbemo(2015-03-29)
Looks good advice to me, as a start-up that may host many sites I want to keep costs low but provide protection to my clients
mariocarnival .(2017-04-16)
I'd like to see which are the pros and cons for an online store about: collecting credit card numbers or working with a third party payment gateway.
SSL Shopper(2017-04-17)
If the user is redirected to the Payment Processor website (they actually leave your website) like when paying with PayPal, then you don't need to get an SSL certificate for your website. Most shopping carts like to keep the visitor on their website though. In that case, where the credit card information is entered while the visitor is still on the shopping cart website, the site absolutely needs an SSL certificate to encrypt the credit card information while it is transmitted.
Victoria Corcoran(2017-05-15)
my website is purely for information purposes and just has info and pictures on it, we dont ask for card details, log in info or anything, so am i right in thinking i dont need a ssl certificate. freestart who do my website have been contacting me for months saying i need to have this ssl and i dont then customers wont be able to see my website and that it will say my website isnt safe so dont click on it. theyve called again today to say that after whats happened with the nhs in the UK over the weekend then we need to get this -are they scaremongering?
SSL Shopper(2017-05-16)
There are still some benefits to having an SSL certificate but if you don't have collect any personal info or logins you really don't need it.
Stewart Polley(2017-06-12)
A little bit of both. An SSL certificate won't protect you from what happened to the NHS, keep your windows updates turned on to protect against that. An SSL certificate can help prevent your website being used to spread the attacks though. It helps ensure that no-one between you and your customer can intercept their traffic and abuse it, or inject their own content. Think of loading a webpage like getting a letter. When there's no SSL certificate, it's just a piece of paper that anyone between you and the recipient can read, and write anything they want on it as well. With SSL it's more like a locked safe that's being moved. You and the recipient can open it because you have keys, but no one in the middle can.
Mary Stanley(2017-08-14)
Ok, bear with me - I'm wanting to start a small business and am thinking not to take payments through a web site but rather work up invoices, push those out to clients, and just have them pay via Paypal. Do I need the SSI, and "Website Security (Recommended) Secure your website against viruses, malware, hackers, and spam". It would just be a single page with service information and my contact information. Once a quote is worked up, send a payment request via Paypayl. Any advice? The business that I want to start lends itself to each job would be customized, therefore, there's really no need to have pre-packaged fees, etc. Thank you in advance!
Matheo Cadena(2017-10-16)
After reading this article it is safe to say that if you're handling payments by redirecting users to Paypal's website then your site does not need an SSL Certificate. Note if you do not have an SSL, it is essential that any information collected is not happening on your site. I.e., they are redirected to a Secure site before providing any personal or payment details.
RAY(2017-09-04)
Hi I am asking customers to select from a number of outlets and then enter their name address and contact details. Do I need SSL?
SSL Shopper(2017-09-06)
Hi Ray, SSL may not be essential in that case but it would still be better for your customer's privacy.
PGwalknroll Publications(2017-11-20)
It would add personal credibility I imagine, when your visitors feel secure
Matheo Cadena(2017-10-16)
I came here thinking I may need an SSL for my Portfolio site. After reading the article it appears I do not, since I don't collect any information from my users. Thanks for the informative read.
Nate Vickery(2018-02-28)
Actually, it is advisable to switch to HTTPS even though you are not collecting data. You don't want your visitors repelled by a "not secure" tag before your site's URL. It's clear that Google insists on SSL/HTTPS, you can read about it here http://4dot.me/KtNJRr. There are free SSLs if you don't want to invest in one, so I would just do it anyway.
PGwalknroll Publications(2017-10-23)
Hmmm. This site seems credible. I changed mine to hpps as I was led to believe Mozilla Firefox would start flagging those sites with HTTP due to security certificates not being valid... Any truth to that? The change was free from my server. It's no real harm and I see yea, I do have a log in screen for subscribers (I hope) at https://walknroll.info so it was not a bad thing I guess even if the original reason was just a panic thing.
ericbushman(2018-02-06)
Very helpful information. As I'm playing around with updating my website to include a shop I figure I need to get a bit more security for my users.