The process of switching from HTTP to HTTPS might be confusing and frustrating for many, simply because it’s something most of us don’t do every day. However, when you know what to expect and how to handle it, everything becomes easier. So, if you’re considering to buy a SSL certificate and switch from HTTP to HTTPS in the near future, keep reading and learn about the different types of certificates, the best SSL stores, and the considerations you need to make in connection to the switch.
Do I Need a SSL Certificate?
SSL (Security Socket Layer) is what’s used to switch from HTTP to HTTPS. HTTPS stays for Hyper Text Transfer Protocol Secure and is the encrypted version of HTTP, Hyper Text Transfer Protocol. Security of this type is necessary when sites accept payments or handle sensitive (personal) information, as the insecure HTTP provides hackers with the opportunity to easily steal credit card information or personal data. This is the reason why (almost) all login pages and payment portals are secured.
The rest of the web doesn’t, per say, need that kind of protection, as what information can be stolen is pretty scarce and rarely personalized (possible to use for cybercrimes). However, the tendency is that more and more sites install site-wide SSL certificates, including content driven sites and small personal blogs.
The reason is that Google announced back in 2014 that they’ve started to use HTTPS as a small ranking factor that might in time be given more weight. Google tries this way to encourage webmasters around the world to install SSL certificates on their sites in order to keep site visitors safe.
Therefore, unlike before when speed-concerns resulted in keeping SSL to a minimum, the trend today is to switch from HTTP to HTTPS, not only on pages gathering sensitive data but site-wide.
If you still aren’t sure, whether it’s a good idea for you to switch to HTTPS, here’re the most prominent SSL-related considerations:
- Installing a SSL certificate will likely boost your rank in search a bit, but not overwhelmingly a lot. If you’re considering to switch to HTTPS only to get a SEO boost, it might not be the best solution. The boost will likely be eaten up by slow load times.
- Installing SSL on your site makes it a bit slower (or a lot, depending on how well it’s optimized) due to the additional data exchange. If your pages are slow to begin with, you might want to consider the risk of drop in rank due to even slower loading times before making a decision. Loading times aren’t only a ranking signal. They’re one of the most common reasons behind high bounce rates as well.
- SSL can cost a lot, especially if you run a small-profit site or personal blog. Do you have the budget for it?
- Saving on SSL can be dangerous. Buy SSL certificates only from established brands, such as Comodo, GeoTrust, Symantec or similar. Otherwise you risk to have browsers showing your certificate as not trusted!
- If you deliver content via a CDN, you might experience difficulties in connection to making the SSL work seamlessly. Most CDNs today support a custom SSL certificate but some make you pay for a high-cost premium plan in order to use this function. However, as long as you don’t have an OV or EV certificate (see the section about types of certificates), you can use the bulk SSL certificate CDNs usually offer for free without a problem.
- Some web applications still don’t support HTTPS and this creates problems when, for example, you display third-party’s content, such as ads or streaming, on your pages.
- Not all SSL certificates are supported by all browsers and especially mobile browsers! Be careful to not buy something that won’t work on most of them! Usually, you can see browser support in the detailed descriptions of certificates.
- SSL certificates can only be installed on your server, as long as your hosting provider allows for this and you have administrative rights for the hosting account/domain. If running a free blog on a platform as WordPress.com, you cannot use HTTPS.
- You’ll need to go in and do some tweaking when ready with the install. It’s not difficult but might still seem scary for inexperienced users.
- You’ll need to change your URL in your social media profiles, analytics software, webmaster tools, etc.
Types of SSL Certificates
When you want to switch from HTTP to HTTPS, you find out quickly that there are many different types of certificates and even more certificate providers with an ocean of prices. So, what should you choose?
No matter exactly how the certificates are named, there’re several basic types:
- Domain Validation (DV). Domain validation means that a certifying authority confirms that the domain is registered and someone with admin rights has signed the certificate request. It can be used to secure a single domain or subdomain (for example, mysecuresite.com or secure.mysite.com). This is a type of SSL certificate well suited to protect small and personal sites. It allows you to keep you Domain Privacy and doesn’t require any paperwork. It’s the cheapest type. It can also be used by organization, where consumer trust isn’t an issue.
- Organizational Validation (OV). This type of SSL certificate includes not only a confirmation of the domain but also registration of organizational information, such as address and contact details. It can be used to secure a single domain or subdomain (for example, mysecuresite.com or secure.mysite.com). It’s great for companies that seek to establish a trusting relationship with existing and new customers. It’s not compatible with Domain Privacy, as it shows the protected contact data directly via the padlock in the browser’s address bar.
- Extended Validation (EV). Extended validation is the highest level of organizational validation and requires paperwork and extensive check of your company. It’s the only type of SSL certificate that turns the address bar of browsers green (if you need that as an extreme reassurance for your customers). It can be used to secure a single domain or a subdomain (for example, mysecuresite.com or secure.mysite.com). Usually it’s only banks or similar organization dealing with very sensitive data that must have that kind of validation. EV certificates are also extremely expensive.
- Multidomain certificates (DV, OV, EV). This type can be used to secure multiple different domains and subdomains (often there’s a limit to how many) on a single server. Price and validation level varies, according to the certificate type you choose.
- Wildcard (DV, OV, EV). Wildcard certificates can be used to secure unlimited number of subdomains. Price and validation level varies.
Certificates come with 128-256-bit encryption and you should always go for 256 bit (or higher if available). 256-bit encryption is available for all types of SSL certificates and there’s therefore no difference in the actual level of data encryption you get by choosing a certain type of certificate. There’re, though, still certificates with 128-bit encryption, even expensive ones, so check what kind you’re buying!
Beyond that, the only difference between DV, OV, and EV certificates is in the level of reassurance you provide site visitors with (it’s though still arbitrary, whether site visitors really will judge your organization based on your SSL certificate rather than reviews, recommendations, experience, etc.).
Conclusion: provide security at a reasonable price, without overpaying for something that you may or may not benefit from. You can, of course, experiment – if you have the budget for such experiments. A basic DV SSL certificate will provide your site visitors with the same level of security as the expensive EV SSL certificates.
Where to Get a SSL Certificate?
There’re many sellers and resellers, including most hosting providers. Some hosting providers offer discount coupons when buying SSL certificates through them. Normally, I’d warn against discounts, because they can be misleading and you might end up unpleasantly surprised, when the renewal bill is served to you. However, installing an SSL certificate is so easy that there’s no reason to not buy a completely new certificate when time for renewal comes – and potentially save a lot.
Some of the SSL stores, you can choose among, are (prices are given as seen in writing hour):
- eNom – very low pricing but you can expect tax of around 20 % to be added to the value of your purchase. Still great prices. A small site owner can get a Comodo Essential SSL certificate (DV) for as low as 12,95 USD/year. Symantec SSL pricing starts from 399 USD/year. GeoTrust Rapid SSL can be obtained for as low as 12.95/year.
- NameCheap – gives you the opportunity to choose between Comodo, GeoTrust, Thawte, and Symantec certificates. Comodo Essential SSL costs 29 UDS/year, GeoTrust starts at 10.95 USD/year for RapidSSL, and Symantec certificates start at 285.88 USD/year.
- Cheap SSL Shop – offers Comodo, RapidSSL, GeoTrust, Thawte, GlobalSign, and Symantec certificates. Offer prices for Comodo Positive SSL DV start at 4.95 USD/year, if you purchase it for 3 years at a time. Normal price of the same certificate is indicated to be 16.67-20.00 USD/year, depending on the period you buy it for. RapidSSL starts at 6.33 USD/year for 3-year certificates. GeoTrust prices start at 35 USD/year for 3-year purchases. Symantec certificates can be purchased for as low as 249 USD/year when you get a 3-year certificate. *
- ClickSSL – you can find Comodo, RapidSSL, GeoTrust, Thawte, and Symantec certificates. Comodo certificates start at 12 USD/year for 3-year purchases (offer price for Comodo Positive SSL, normal price is 16 USD/year for 3 years). RapidSSL starts at 12.95 USD/year, when you purchase it for 3 years. GeoTrust prices begin at 65 USD/year for 3-year purchases. Symantec is priced at 274 USD/year for 3-year purchases. *
- Comodo SSL – has the advantage of it being Comodo’s own SSL store. Prices and certificate options are not as great, though. You can get pretty hot initial discount, only to find out that the renewal price is up to 3 times higher than what you can get other places. Comodo SSL (a level higher than Essential SSL, still DV) is the cheapest option and costs 99.95 USD/year.
- Comodo SSL Store – it offers Comodo SSL certificates at low prices. The site looks a bit untrustworthy as it displays some pretty boosted RRP making you believe that you’ve saved more than you’ve actually saved. It seems that you can keep the low price also with a renewal but this isn’t clearly stated. Comodo Positive SSL (DV) costs as low as 7.45 USD/year, if you buy it for a period of 3 years. Comodo Essential SSL costs 24.67 USD/year, when you purchase it for 3 years.
- GeoTrust – The official site of GeoTrust offers certificates (QuickSSL Premium as the cheapest option) starting at 149 USD/year.
- Symantec – Symantec SSL certificates are generally very expensive, starting on Symantec’s website at 399 USD/year for single site DV.
Considerations When Installing SSL
While the installation of a SSL certificate is usually a pretty straightforward and quick process (you can find a SSL installation guide for cPanel here), there’re a few things you must do, after the switch from HTTP to HTTPS has gone through.
Firstly, you must check all your pages and applications and make sure that they’re all functioning properly.
Secondly, you must redirect permanently all your HTTP pages to the HTTPS versions using 301 redirects. This is necessary, not only in order to make sure that site visitors always end up on secure pages, even when clicking on old links or requesting a HTTP page. It’s also a must because you otherwise risk that internal linking won’t work properly anymore.
If you serve third-party ads, you should inform your partners about the change in order for them to provide you with proper content.
If you use a CDN or a similar service, you’ll in most cases need to change your settings in order to avoid SSL-misconfiguration.
Even more importantly, you must change the site’s URL (http:// to https://) in WordPress Admin panel (Settings->General, WordPress and Site Address), on all social media platforms, advertising platforms, in analytics software, and similar.
Last but not least, remember to register your HTTPS version of the site in Google Search Console and any other webmaster tools you’re using.