Facebook for WooCommerce

NEW: get Facebook for WooCommerce for two powerful ways to help grow your business!

An introduction to SSL certificates for eCommerce

Written by Nicole Kohler on December 23, 2015 Blog, Security.

Part of the process of starting an online store is finding a way to secure the experience for your shoppers. You want your potential customers to feel safe, of course, and to know that their data isn’t going to fall into the wrong hands.

If you’re new to eCommerce, you might have heard some chatter about SSL certificates or HTTPS as part of this security process. And you might be utterly confused by it. Relax — that’s normal, and we can help.

SSL sounds like a complicated topic, but once you understand the premise and why your store might need it, it’s not something you’ll have to spend any time worrying about. In fact, for most store owners, you can get a certificate to add SSL to your store in just a few minutes.

Let’s go over what SSL is, why you might need it, and how you can go about getting a certificate for your store. At the end of this post, your confusion should be gone, and you should be even more prepared to start selling online.

The SSL certificate explained

To understand what an SSL certificate is and why you might need one, let’s first take a quick look at the technology behind it.

A quick lesson on SSL

SSL stands for “Secure Sockets Layer,” though it is also sometimes called “Transport Layer Security” (or TLS). SSL on its own it is a protocol used to secure and protect transactions — though not necessarily financial ones — between destinations on a network.

SSL is a simple way of securing your site.
SSL is a simple way of securing your site.

SSL relies on encryption to make these transactions private. Each message transmitted must pass an internal check for the integrity of this encryption before it succeeds. If the check fails (due to data corruption, or any unexpected attempt to alter or capture the data), the encrypted data will not be exposed.

We use SSL every day when we browse common websites like Facebook, YouTube, and online stores. The encryption used prevents those with malicious intent from intercepting transactions as innocent as your search queries… or as dangerous as your credit card information.

How SSL applies to website certificates

When a website wants to secure its transactions, it will obtain an SSL certificate for that domain. The SSL certificate applies the encryption described above to all website activity, including page and form submissions, financial transactions, and so on. This prevents data theft or other such attacks.

SSL certificates also contain important security information, including:

  • Company name
  • Company location
  • Length of time the certificate is good for
  • Details of the authority who issued the certificate

This allows individuals who are uncertain about a website’s authenticity or trustworthiness to click the green “lock” icon in their browser to review more information. If they still do not feel secure, they are able to exit the site.

An example of the kind of information you can see when reviewing a SSL certificate -- in this case, Google's Webmaster Central blog.
An example of the kind of information you can see when reviewing a SSL certificate — in this case, Google’s Webmaster Central blog.

How to know if a website uses SSL/TLS

There are two quick ways to tell if any given website has an SSL certificate. Look for:

  • A green “lock” icon in the address bar, and
  • A URL that starts with https instead of http

Depending on how the site uses SSL, this might not apply to every page — as you’ll learn below.

How the usage of SSL is changing

For quite some time, the Internet standard was that SSL certificates were only recommended for domains or specific pages of websites where sensitive information (such as financial data) would be transmitted or received. However, that recommendation is slowly changing.

In August of 2014, Google announced that website security would be added as a “lightweight ranking signal” for results in its search engine. This meant that a website secured with SSL/TLS stood a better chance at ranking higher for a query than an unsecured one, assuming all other factors were the same.

From the announcement:

[W]e’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal […] while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe.

Over the past year, the potential implications of this change have caused many website owners — not just store owners — to encrypt their sites with full SSL certificates, changing their URLs to “https” instead of “http.”

However, this doesn’t require anyone to secure their entire site with SSL. Should they choose, website and store owners can still place all their sensitive pages on a subdomain, and purchase a certificate for that domain alone, leaving the rest of the pages unencrypted.

How to know if your online store needs SSL

Reading all this, you might be convinced that you need a SSL certificate. After all, security is important to you, right?

However, if you don’t capture or store any sensitive data, you might not actually need a certificate. This might sound strange, so let’s dig in.

The most common scenario that causes store owners to be exempt from needing SSL is the usage of an offsite payment processor — for example, PayPal. This is because PayPal is responsible for capturing and storing all of your customer’s sensitive payment information, so it is never stored in your database.

Offsite payment processors have their own security standards, certificates, and methods of securely passing data from and to your store. Therefore you don’t necessarily need SSL, because they’ll have it covered.

If you don't store any sensitive payment information, you might not need SSL.
If you don’t store any sensitive payment information, you might not need SSL.

Another scenario is if you don’t allow customers to create accounts or logins involving passwords of any kind. Even if you use a third-party, entirely offsite payment gateway, you might still have customers creating accounts with you to save their shipping and billing addresses.

While this is far less sensitive information, many customers tend to use the same password for every account. So a bit of reverse engineering could lead a hacker to gaining access to, say, a shopper’s email account, bank account… you name it. This means that unless account creation is disabled on your store, you’ll need SSL to protect those passwords and logins.

To recap, the two factors that can eliminate SSL as a requirement are:

  • Usage of a fully off-site payment gateway, and
  • Absolutely no account or password functionality allowed by customers

If you don’t have both of these factors in place, you’ll need a certificate for your store. And even if you do, you should still consider it, given the possibility of HTTPS becoming more important for rankings — and customer peace of mind — in the future.

Need SSL? How to get a certificate (two ways)

The standard way to secure your store with SSL until very recently was to pay a third party for a certificate. There’s now another option, however, as mentioned during The State of the Word at WordCamp US.

Here are two ways you can secure your store and keep your customers happy.

Paying for a certificate

SSL certificates can be purchased from a wide variety of third parties. Many domain resellers offer them to their customers (sometimes even bundled with your domain name), and there are also independent companies who sell only SSL certificates.

Your best bet might be to start with the company from which you purchased (or are planning to purchase) your store’s domain name to determine if they offer certificates or any kind of bundle. If not, a simple search should turn up multiple reliable options.

Before you buy, spend a few minutes carefully considering the type of certificate you need. Basic SSL certificates only cover one domain — ex. example.com or subdomain.example.com. But you can also purchase multi-domain certificates, or “wildcard” certificates to cover multiple subdomains (example1.domain.com, example2.domain.com…).

Pricing for paid certificates typically ranges from $30 to $50 per year for single domains, and up to $300 per year for multi-domain or wildcard options.

Free certificates from Let’s Encrypt

The Internet Security Research Group (ISRG) currently has a program called Let’s Encrypt in public beta. Let’s Encrypt allows anyone to secure their site with SSL/TLS for free — effectively giving website and store owners a free, permanent SSL certificate.

The catch: Let’s Encrypt isn’t quite as straightforward as working with a domain registrar to purchase and install your certificate. It’s also still in beta, so bugs are possible. However, it is still completely free, and open source at that.

A diagram from Let's Encrypt showing how their certificates work.
A diagram from Let’s Encrypt showing how their certificates work.

If you’re interested in going this route, we recommend sending the Let’s Encrypt documentation to your developer, who can determine the plugin and client you need for your server, and handle the certificate installation process for you.

The consequences of not having a certificate

You might be wondering “what happens if I ignore all this and just don’t get an SSL certificate?”

Truthfully, nothing might happen. But there could also be dire consequences, including:

  • Shoppers losing trust in you because your store appears unsecured
  • Unsavory individuals “spoofing” your store because there’s no way to prove you are the real owner or manufacturer of your goods
  • A hacker using reverse engineering to hijack a customer’s email, social media, or other online account with information gained from your store
  • Theft of sensitive personal or financial data stored on your server
  • The public and potential financial backlash caused by any one of the above events

As you can see, it’s better to simply pay for an SSL certificate and have the peace of mind than it is to risk it. Even having potential customers pester you about that missing lock icon — and potentially exit without buying because it’s missing — is worth the $30 or so a year, don’t you think?

SSL doesn’t have to be a complicated matter

We hope this introduction to SSL certificates for eCommerce has helped you understand a bit better why you might — or might not — need a certificate for your own online store.

With any luck, SSL and store security should seem much easier for you to grasp now. But if you have any remaining questions, we’ll be more than happy to answer them for you in the comments below! Ask away, we’re always here to help.

22 Responses

  1. Alin Ionut
    December 28, 2015 at 8:38 am #

    As Google say, let’s make a safer web.

  2. Cristi
    December 31, 2015 at 9:24 am #

    I think data like your full name, contact information and home address is sensitive even in the absence of an account/password and should be encrypted. I would advise forcing https for the whole checkout section.

  3. Chris Jones
    January 6, 2016 at 7:35 pm #

    Nicole, might want to add Cloudflare. They provide SSL even for their Free plan. (Warning: The Free is nearly as fast or secure as the Paid plans.) I’ve been reading up on it for a couple of projects and it looks promising,

    • Nicole Kohler
      January 8, 2016 at 4:30 pm #

      Thanks for the suggestion Chris!

  4. Tarnya
    January 8, 2016 at 6:22 am #

    We recommend our shop owners move to SSL for the whole site, makes sense doesn’t it. It makes the customer feel more secure, it’s good for SEO … unless they are taking payments offsite eg paypal.

    • Nicole Kohler
      January 8, 2016 at 4:32 pm #

      It’s probably the easiest and best solution to simply get a certificate for the entire site — then you don’t have to worry about security at all. 🙂 That said, we did want to present as much information as possible regarding what you are “required” to do so store owners can make a decision themselves based on their own situations.

  5. Fibre
    January 14, 2016 at 7:54 pm #

    Great post, I might of missed it but how do you enforce https over http?

    Plenty of plugins but not all of them help and some seriously slow the site down.

    • jnz31
      January 14, 2016 at 8:00 pm #

      there is a setting in woocommerce to enfore ssl during checkout. but if you change your blogurl to https, i’d say you can ignore that setting (at least this is what i did..) and are on the save side.

      • Adam
        January 15, 2016 at 10:48 am #

        Yes but HTTP is still accessible and Google with in theory see 2 of your website, http and https

        • jnz31
          January 15, 2016 at 11:44 am #

          when i enter the url explicitly with http i’ll get redirected to https instantly.. but if you say so, what would be your setting to prevent http..?

        • jnz31
          January 15, 2016 at 1:25 pm #

          i now enforce ssl via htaccess:
          RewriteEngine On
          RewriteBase /
          RewriteCond %{HTTPS} !^on$
          RewriteRule (.*) https://www.example.com/$1 [R,L]
          RewriteRule ^index\.php$ – [L]
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteRule . /index.php [L]
          should be fine, or? any downsides on this?

  6. jnz31
    January 14, 2016 at 7:58 pm #

    i recently read an article that said, that the next version of firefox ( 44 ) will show a warning if a password is submitted in an insecure form, so this might be another good reason to go for ssl rather soon.

  7. Dietmar Hohn
    January 14, 2016 at 8:33 pm #

    Is there a problem with SEO when I decide to have the whole Webshop with https? I’m not sure and nobody can say yes or no until today. Any idea?

    • jnz31
      January 15, 2016 at 11:49 am #

      no problem. as mentioned in the article, google will honor https above http. so if you have a certificate, there is no reason to just use it in a specific area of the website.. i’d use it for the whole website.

    • Nicole Kohler
      January 15, 2016 at 5:33 pm #

      Hey Dietmar, Google currently considers the use of https a “very lightweight ranking signal,” which means that, all other things being equal, a fully secure site would have a SLIGHT edge over a non-secure one as far as SEO is concerned.

      Having said that, I would urge you, because their stress is on “very lightweight” here, to think not of what matters with rankings and more of what matters for your site security and the safety of your customers and their data. 🙂

  8. Pascal Geuns
    January 14, 2016 at 9:13 pm #

    Its nice to see an article about the importance to not only protect payment pages by SSL, but already use SSL on the checkout and login pages as part of the measurements to secure customer data.

    Its mentioned in the article that there is different types of SSL certificates with regard to the amount of domain names that they can secure, but thats not the only difference, since SSL is not only about encryption !

    One has to differentiate between SSL certificates that only provide encryption, the so called Domain Validated (DV) certificate and those that also provide authentication, which are Organisation Validated (OV) and/or Extended Validation (EV) certificates.

    But why should you care about authentication?

    It all comes down to what one needs todo to get an DV, OV or EV certificate:

    – DV certificate are issued after a “simple” domain control validation, where you basically prove that you have access to the server which is running your shop.

    – OV & EV certificate are issued after you have passed the domain validation and you also have provided verifiable documentation of your company and that documentation must also contain your company address and phone number so that a member of the validation team can check your data and can perform a callback validation by phone.

    The end result is that DV certificates can be ordered by anybody that has access to a domain name, while OV & EV certificates require a verifiable person / company to obtain the certificate.

    This also means that customers that come to a web shop that use a DV certificate cannot authenticate who is behind the web shop, since the DV certificate only tells them that their data will be encrypted, but not to whom they are actually providing their data and who likes to give their personal data to a stranger?!

    On the other side, as a shop owner you could think, I have a customer base that trusts my web shop and I am secure with encrypting their data in transit. Thats fine, but if you then think how easy it is to get a DV certificate and how easy it is to “copy” a web shop look, then you know that your customers trust is vulnerable to an attack…

    Therefor the most important thing to consider is how much do you value customer trust and how much risk are you willing to take…

    So once you have taken the decision to implement a fully validated SSL certificate on your web shop, I am sure you will find it is money well spent since you will gain customer trust and as a result more sales.

    • Nicole Kohler
      January 15, 2016 at 5:36 pm #

      Thanks for your input here Pascal, much appreciated!

  9. Vern L
    January 15, 2016 at 1:51 am #

    Last time i looked, I couldn’t find a certificate for less than $200. Where can I find one for $30-50??? Thanks in advance!

    • jnz31
      January 15, 2016 at 11:53 am #

      depends on the type of certifcate, as mentioned in the comment of Pascal Geuns. i just implemented an OV certificate (single domain) for 108€/yr. but if you need a EV certificate or a whildcard domain, the prices will go up (EV was at approx. 300€/yr). the DV certificate is even available for something like 20€/yr

      • Pascal Geuns
        January 18, 2016 at 9:04 pm #

        You might want to take a look at our site, especially for our EV introductory price, which is less then halv what you mentioned 😉

    • Nicole Kohler
      January 15, 2016 at 5:35 pm #

      Hey Vern, have a look with your host for starters. When I was doing some research I found that some popular shared hosts offered inexpensive certificates. The price goes up if you’re not on a shared host, if you don’t buy it from your host in a bundle, etc.

      And as mentioned, if you’re willing to do the legwork, you can always get it for free via Let’s Encrypt. Definitely recommend having a look. 🙂

WooCommerce - the most customizable eCommerce platform for building your online business.

%d bloggers like this: