What is a secure certificate (aka SSL) and why is it necessary?

Your web hosting provider may be keen to sell you a certificate perhaps at an annual cost of £50. You do need one but most small and medium businesses don’t need a commercial one, the free alternative is good enough. 

You may be told a commercial certificate is necessary if you are running an ecommerce site.  That’s unlikely to be the case too, you are most likely to use a PSP (Payment Service Provider) to handle online payments like PayPal, SagePay, WorldPay. When it comes to handling the payment the user is transferred to the PSP’s web site which will probably have EV certification (see below). 

If your website collects “personal data” this may constitute a reason for holding a commercial certificate.  See the GDPR section below for more information.

Under the GDPR there is a requirement to keep “personal data” confidential.  This may constitute a reason for holding a commercial certificate.  It’s complicated, see the GDPR section below for more information.

So do I need SSL if I’m not taking payments or collecting personal information?

Yes!

The primary benefit of SSL is that communications between a web user and the web site they are accessing is encrypted. It has become essential to use SSL because web browsers and security software is likely to flag up an “insecure” alert for sites without a certificate.  That can scare people away from visiting the site. Browsers may also show a symbol to indicate if a site is secure, often a locked padlock icon.
The other benefit for a web site owner is that Google gives priority to secure sites in search results.

These are the four levels of validation most commonly used:

Self-signed. The purpose of these certificates is to control traffic on an internal corporate network, it avoids the browser repeatedly complaining about unsecured web locations. As these are essentially DIY, there is no cost (except a technician’s time).

Domain Validation (DV). Domain Validated SSL certificate confirm that the web pages are coming from the expected domain. These can cost anything from zero upwards. The benefits of paid certificates are far from clear.  Most web hosts provide “Lets Encrypt” DV certificates free, these are sponsored by a number of well known IT companies (like IBM, Amazon, Cisco) as part of their social responsibility with the aim of making the internet safer. Hosts that don’t offer Lets Encrypt typically charge around £50 p.a for a commercial alternative. If a host doesn’t offer free Lets Encrypt it’s possible to obtain and install your own Lets Encrypt certificate but it needs renewing manually, ideally every 2 months. That is a technical task taking about 10 minutes.  A better alternative is to avoid hosting companies that don’t provide Lets Encrypt, those that do also automate the renewal process.

Organization Validated (OV). Company credentials and those of the named owners are (or should be) checked against databases like, in UK, Companies House. Businesses that collect a lot of information through forms on the web site may need to consider this, but as with financial data (see below) if sensitive personal data is being collected it may be better to use an intermediary

Extended Validation (EV). Fully authenticated certificate.  This is costly and takes a while to set up with loads of paperwork to prove your credentials, only large organisations need apply. It is especially important for those handling financial transactions or services dealing with confidential personal data.  Most small and medium businesses who need to process financial transactions will use an intermediary who will have this level of certificate. 

You may see reference to “Wildcard certificates“: A certificate normally covers a single domain like example.co.uk but the domain can have subdomains like the very common www.example.co.uk or maybe shop.example.co.uk It’s possible to have completely separate web sites under each of those names.  A wildcard certificate covers all those possibilities.
It’s common for webmasters to make example.co.uk automatically redirect to www.example.co.uk (or sometimes the other way round). In that case, strictly speaking there’s no need for wildcard but using LetsEncrypt there’s no additional cost or effort so no reason not to do it.

Commercial certificate annual costs range significantly between providers but very broadly speaking: DV $tens, OV $hundreds, EV up to $thousands.

How reliable are the certificates? There can be problems, worst case is that the certificate issuing authority gets compromised and certificates are issued to questionable domains without the proper checks.  To mitigate that risk certificates need regular renewal and it’s also possible to revoke certificates.  From an end-user perspective the certificate does give improved security of data in transit over the internet but not necessarily over what happens to it at the dstination web-server, the renewal and revokation capabilities go some way to mitigating that risk. 

Does SSL make sites slower? The accurate answer is yes because there is a processor overhead in encrypting/decrypting the traffic.  In practise the overhead is tiny and does not constitute grounds for not having a certificate.

Other problems: a web-page may incorporate some element which is considered insecure, an alert will be issued something like “page contains mixed content”.  It’s likely to mean there’s something on the page that’s being fetched from another domain which is insecure. This can be tricky to spot and you may need technical assistance.

GDPR
Under the UK General Data Protection Regulations there is a requirement to keep “personal data” confidential.  That raises the question “what is personal data”?

In brief: Can the information you collect help identify an individual person. If so does it relate to that individual.

My interpretation of that is that it’s OK to collect basic contact details, it’s that second clause that is hard to interpret. Surely a phone number, email or postal address “relates to the individual” but few of us would regard that as necessarily “confidential”, if so why do ‘phone books exist? Most of us want our friends to be able to find our address. 

For an authoritative answer see the government website . In this context I take “relates to the individual” to mean information about the person that they may not wish to be available to a wider audience. The obvious categories are medical, financial, criminal. A web form requesting contact details, age-range and income range could be used to construct a list of aged wealthy persons who could become targets for marketing “retirement villages” – but anyone wanting to do that will have little difficulty collecting that information, indeed for that example it would be most cost-effective to simply target places where property prices are high.

As a business owner the issue is wider than just internet. Storing “personal data” off-line, even in hard-copy is a potential breach of GDPR, however digital and especially online data is easier for a third party to access than a paper document in a locked filing cabinet. My advice is simple: don’t ask for or store data you don’t need. This is most significant in respect of forms on web pages – keep them short, don’t ask for information you don’t need.  That’s good advice irrespective of GDPR, the likelihood of a web-site visitor completing a form is in inverse proportion to the difficulty of completing it.