SSL for Small Business Owners
Google has begun penalizing unencrypted web sites in search results. Although a 1% penalty may not sound like a lot, it can mean the difference between being the last link on page 1, and the first link on page 2 of search results, and that difference can cost small business owners a lot of lost business. This started in 2014, and in the Chrome browser beginning on January 10, 2017, Google is adding visual penalties for data entry on unencrypted sites.
Most large website operators are somewhere on the road to implementing encryption using Secure Sockets Layer (SSL)–also known as HTTPS–on their web sites, but many small web site operators see no need to go through the effort of converting to SSL. There are fundementally four reasons to make the switch:
- HTTPS can help end users to identify a spoofing attack.
- HTTPS can help prevent man-in-the middle attacks.
- HTTPS web sites will be favored in Google page ranks. This started in 2014
- Unencrypted sites will start to get visual penalties in Chrome beginning on January 10, 2017, and eventually in search results.
While purchasing the SSL certificates needed to implement website encryption used to be quite expensive, a number of changes in the last year have made it possible to install free domain verification (DV) certificates that are sufficient for most small business. In most cases you can get most of this done with a call to your hosting firm and a call to your site designer.
What to Say to Your Hosting Firm
When you call techical support at your hosting firm, you should ask them to configure “AutoSSL” and a free domain verification certificate. If they do not have AutoSSL available, ask them when they plan to enable it. If they don’t have it and don’t have plans, find another hosting firm. In most cases, they will configure AutoSSL to use certificates from Comodo and sometimes from Let’s Encrypt. Either one is fine.
Your hosting firm may try to upsell you to get an organizational verification (OV) or enhanced verification (EV) certificate. From an encryption standpoing, DV, OV and EV certificates are essentially the same. OV and EV certificates display the name of the business in the URL bar of some browsers–compare the Bank of America web site to this website. That is what the cost of an EV certificate buys you at a significant price. An OV certificate is in between, and only shows the ownership information if someone clicks on the certficate information. Only geeky people like me do that. Software development firms frequently get OV certificates as part of a package with code signing certificates, which require the expense of an organizational verification; these firms have to go through the OV process, and essentially get the OV web certificates as a biproduct of getting code-signing certificates. Most businesses only need a free DV certificate.
You may need to pay for a private IP address, which usually costs about $50/year. This has the added advantage that if another web site on your server (same IP address) gets compromized and starts sending spam email, your email domain will not be blacklisted just because you have the same IP address. The requirement for a private IP address is a techical restriction that will go away later this year but which hosting firms may not change as it gives them more money.
What to Say to Your Site Designer
Tell your site designer to configure your site to force traffic to use SSL. If your site runs Joomla, this is literally just checking a box. If your site runs Wordpress, you will need to manually update your .htaccess
file. This will take most site designers about 10 minutes, unless there is something unusual about your site, or it is on a hosting firm that runs something other than CPanel with Wordpress or Joomla. If your site designer cannot do this, you should negotiate lower hourly rates or find a new designer.
Do It Yourself
If you are fairly technical, you can do this yourself by following the instructions in Why and How to Set Up SSL/HTTPS on Your Web Site.