Do I really need an SSL certificate on my website ?
It really depends the requirements that your business website needs to perform.
If you are running a purely “brochure” style website, i. e the customer looks at the site and then contacts you via email/telephone then the chances are, you probably don’t need one.
But, if your small business website provides a mechanism where it collects customer (or potential customer) personal data, then you ought to seriously consider it.
Ignoring the technical side of things for a moment, YOU, as the Business Owner have obligations and legal requirements with regard to the data collected.
Data Protection
The Data Protection Act classes personal data as any information relating to a living person (the ‘data subject’) who can be identified from that information. Personal information covers both facts and opinions about the individual so for an example names, addresses and telephone numbers are obvious identification methods. Other less obvious information, such as unique reference/order numbers could also be used to identify a person and so should be treated as personal data.
The second principle of the Data Protection Act 1998 is :
2. Personal data shall be obtained only for one or more specified and lawful purposes.
This purpose also has to have been registered with the Information Commissioner.
So, if your website is collecting and/or storing personal data, then you have a responsibility to make sure that it is handled correctly and most importantly, securely. Breaches of data protection legislation are criminal offences and can result in severe penalties.
ICO Good Practise
The Information Commissioners Office (ICO) has produced a handy summary of SSL good practice which states :
- Ensure that personal data (and sensitive information generally) is transferred using SSL or TLS where appropriate.
- Consider using SSL or TLS for all data transfer in order to reduce complexity. Remember that in the case of a website, any included content such as images, javascript or CSS should also be provided over SSL or TLS in order to avoid ‘mixed content’ warnings.
- Ensure that SSL or TLS is set up to provide encryption of adequate strength.
- Ensure that every SSL or TLS service uses a valid certificate, and schedule renewal of all certificates before they expire to ensure the services remain secure.
- Consider obtaining an Extended Validation (EV) certificate if assurance of identity is of particular importance.
- Do not encourage users to ignore SSL or TLS security warnings.
Show some Trust for your website
Google have announced that starting in January 2017, their Chrome browser (version 56) will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature. You can read more in the Google Online Security blog here
Firefox in its latest versions (51 &51) also bring bring a new warning about insecure login pages, which appear prominently in the address bar/login boxes
This appears to be part of the industry-wide campaign to move away from HTTP, which is insecure, and could leave users’ online activity vulnerable to snooping, interception, modification etc.
Would you prefer to have to explain to your potential or existing customers why their web browser is showing your site as “insecure” or would you rather start with a position of “I am trusted site please use me with confidence” ?
In Summary
In our opinion, if your website collects your customers’ personal details, then you probably want an SSL Certificate.
Ultimately it is going to show your customers that you take their data seriously by encrypting it, you are going to demonstrate to the the Search Engines that you are the website you claim to be, and you tick a couple of big boxes on your Data Protection policy.
Interested in web hosting that includes basic SSL ? Check out our online store.