Do I Need An SSL Certificate For My Website?
You’ve probably heard of 128-bit encryption, or seen the green address bar of an EV SSL certificate, and you’re wondering "Do I need an SSL certificate on my site?" Most online shoppers are very careful and want to know that their information is safe. Using an SSL certificate provides two important things:
- Encryption of sensitive data like credit card numbers and personal information
- Some assurance to your customers that you are trustworthy (the process of getting an SSL certificate can't guarantee this, but it can make it more likely which is part of the reason why visitors have this perception)
These are very important benefits and, while not all websites require an SSL certificate, it is essential for certain types of sites. To find out if you need an SSL certificate for your site, answer these questions:
Is my site an e-commerce site that collects credit card information?
For most e-commerce sites, you absolutely need an SSL certificate! As an online merchant, it is your responsibility to make sure the information you collect from your customers is protected. This will shield you and your customers by making sure that no one can intercept and misuse their credit card information.
Your customers are providing you with very important and personal information that allows access to their hard earned money. If an identity thief gets access to your customer’s credit card information because you didn’t take the necessary precautions, it can be devastating to you and to your customer. Your customers need to know that you value their security and privacy and are serious about protecting their information. More and more customers are becoming savvy online shoppers and won’t buy from you if you don’t have an SSL certificate installed.
If you accept credit card information and store it in a database so you can process it using an offline POS machine or charge it manually on your merchant account’s website, then you definitely need an SSL certificate to secure the credit card data as it is transferred. You also need to be very careful with the data when it is stored on your servers. Learn more about PCI Compliance and SSL and the requirements of protecting stored credit card information.
Do I use a 3rd party payment processor?
If your e-commerce site forwards your visitors to a 3rd party payment processor (like PayPal) to enter the credit card information then you don’t need an SSL certificate because your website won’t touch the credit card information. Just make sure none of the credit card details get entered when the address bar still shows your domain name. Note that PayPal allows you to accept the credit card information on your site or forward visitors to their site. If you accept the credit card information on your site, you need an SSL certificate.
Do I have a login form?
If your users enter a username and password to login to your site without an SSL certificate, an attacker can easily see their username and password in clear text. This would allow someone else to impersonate your visitor, but it allows for a far more dangerous possibility: Because users often use the same password on many sites (including their bank accounts), an attacker can potentially compromise many other accounts. If you let people store a password with you, you must take responsibility for protecting it, even if the security of your own site isn't critical.
It is true that most login forms don’t currently use SSL. This means that most login forms are vulnerable. With the number of cheap SSL certificates available, it is becoming more and more worthwhile to secure login forms. If you want to forego the SSL certificate without having to worry about securing the login information, you can also use OpenID, Facebook Connect, or another technology that lets users log in on a another site and return to your site. Learn more about creating a secure login form.
Do I need my own SSL certificate or can I use a shared SSL certificate?
Many hosting providers will include a shared SSL certificate that you can use instead of buying your own. As long as it doesn’t give any errors on your site, this will be great for securing login information or other sensitive information. However, a shared SSL certificate doesn’t provide as much assurance to your visitors because it doesn’t include your organization or website name in it and may display a warning.
In short, if your website is a collection of pictures of your goldfish Rudy with a small blog and doesn’t require visitors to log in, you probably don't need SSL. If you have a login form or send or receive private customer information, then you need SSL. If you run an e-commerce website where people provide you with credit card information directly on your site, you absolutely need SSL.
Where do I purchase an SSL certificate?
Great! So you’re now sure that you need SSL for your e-commerce or other type of site. How do you know what type of certificate to purchase? Which SSL provider should you buy from? You can find the answers to all your questions about buying an SSL Certificate in the SSL FAQ or by using the SSL Wizard to compare SSL.
Originally posted on Sat Mar 6, 2010