Should I get a security certificate?

October 2018: Short answer: Yes!

Long Answer:

What is a Security Certificate?

A security certificate is installed on the server that hosts your website. When installed and when your site is configured to use it, everything that is sent from the server (traffic) to a visitor’s web browser (page content, images, etc) is encrypted. And, traffic sent in the other direction (eg when a visitor has typed some information into a form on your website) is also encrypted.

These days it is not difficult for determined people (hackers etc) to intercept web traffic. However, if that traffic is encrypted, it becomes extremely difficult for them to decipher and use.

Therefore, a security certificate means that information you display on your website to a visitor (eg information about an order they have placed) and information a visitor enters into your website (eg their payment details) are safe* from hackers.

A security certificate has become a standard requirement for all websites that take online payments for some years.

(* well, nothing’s 100% of course but this is considered to be “close enough” for all normal business transactions)

January 2018:

We are often asked “Will my website rank better if I get a security certificate?

Google announced that having a security certificate (aka SSL or HTTPS) was to become a ranking factor in August 2014. They said: “we’re starting to use HTTPS as a ranking signal”. Many salespeople picked up on this and started selling security certificates to website owners to “help their site rank better”.

However, if they had read on, the very next sentence in Google’s announcement had said: “For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content.” Google has said that they may increase the importance of security certificates in their ranking algorithms over time but, based on the latest analysis we have seen, there is at best only “a slight positive correlation between the https URL and rankings”.

In other words, our recommendation today (Jan 2018) is: don’t make the switch to HTTPS solely for SEO purposes. It’s a resource intensive process (to do properly) and there isn’t a strong correlation between the two.

Update: May 2018:

chrome not secureFrom July 2018 the Google Chrome web browser will, according to Google, “mark all HTTP sites as ‘not secure’” (a HTTP site is a site without a security certificate). To date, Google Chrome has only been marking HTTP pages that have a form on them as “not secure”. It seems that, from July onwards, all of your site’s pages, whether you have a form on them or not, will be marked as “not secure”.

As the Google Chrome browser is the most popular web browser, and as “not secure” is not a message that we would encourage anybody to broadcast about their website, our advice now is to have a security certificate installed and activated on ALL websites.

October 2018:

Well, Google Chrome did make the predicted change on about 31st July. And, it sparked a series of copycat changes from other browsers. Now other browsers are also marking all web pages as “not secure” even when there is no security risk to a website visitor.

Even though a security certificate may not be required from a technical/security perspective, we advise you to have a security certificate to avoid the perception issues that come from the “not secure” messages. A basic security certificate is sufficient for most websites (that do not sell products or services online) and can be acquired and set up for the equivalent of less than the cost of a cup of coffee each week. 🙂