You have invested all your resources in getting that perfect domain name and best hosting site! You have hired finest website developers, graphic designers, and digital marketers. Of course, you have left no stone unturned to make that astonishing website. After all, you are an entrepreneur and are thriving with zeal to do a successful online business. But what about that ugly ‘Not secure’ sign in front of your domain name? What a jinx! Even worst, when someone clicks on that ‘Not Secure’ sign, one of the following messages is shown.
If you are worrying that such warning can make your precious website visitors abandon your website, you are correct. They would feel uncomfortable surfing through your website, suspecting each page, and each link. Sharing their private details on your website is out of the question. Imagine if eCommerce, paid subscriptions and paid memberships are your bread and butter, how much damage such pesky ‘not secure’ sign can cause?
Why am I seeing ‘Not Secure’ sign in the address bar before my domain name?
‘Not secure’ sign indicates that the website is unencrypted. It means the information transferred between a user and the website (server) is in plain text. It makes it easier for hackers to read and interpret any transferred data once they manage to get access to it. Encrypted website means, all the transferred data is encoded with asymmetric keys using public key infrastructure (PKI).
In easy words, if someone has written a credit card number 1234-5678-91011, hackers can read it as 1234-5678-91011 if it is in plain text. If it is encrypted, it would be something like this: grjy4ve9n0plrq. So even if a hacker successfully attacks and gets access to the data, he can’t interpret it because it doesn’t make any sense unless s/he knows how to decrypt it.
How to interpret it, anyway? It requires a unique pair of private keys. When you encrypt the website, the private key is saved on your server. Nobody except the private key holder can decrypt the encrypted data, i.e. only you!
How can I encrypt my website and get rid of the ‘Not Secure’ sign in the address bar?
No-you don’t need to sit hours and hours to encrypt each code of your website. No, you don’t need to pay loads of $$$ to cybersecurity experts either. Breathe!
All you need to do is to install an SSL (Secure Socket Layer)/TSL (Transport Layer Security) certificate on your website, and it will do all the job!
- Remove ‘Not Secure’ sign from the address bar.
- Encrypt the data with 2048-bit strong signature and 256-bit longer encryption key length.
- Securely save private key on your server so only you can decrypt the data.
- Display a padlock and HTTPS (in place of HTTP) in the address bar. For example,
- Display organization’s name in the address bar, if you have taken Extended Validated (EV)SSL. For example,
- Vet you against your credentials. It gives assurance to your clients that you are the same organization as you claim to be. So that they can save themselves from phishing attacks.
- Indicate that you are sincerely concerned about your clients’ data security. Your website visitors will consider your business authentic and feel safe to make any transaction on your website.
- Provide warranty (only paid SSL) that works like insurance in the event of encryption failure. Encryption failure is rare, but we are living in the era of ‘nothing is impossible,’ and hackers have taken that quote way too seriously!
- Offer site seals (only paid SSL), the visual indicator of an encrypted website embedded on each encrypted pages of your website. Site seals have proven records of boosting customers’ trust when they are placed on check out pages and other crucial web pages. Site seals would look something like this.
Bonus point: An encrypted website will boost up your SEO efforts. Since 2014, Google has announced that it favors sites with an SSL certificate. If all factors are same, it will give a higher rank to an HTTPS site than HTTP one. Hence, an SSL certificate is one of the important ranking factors for Google’s algorithm.
How to get an SSL certificate?
Check whether your hosting provider offers a free or paid SSL certificate. If it is free, check the renewal charges. If it is paid, compare the prices with other SSL providers. Sometimes the price difference is mind-blowing. Make sure your hosting provider allows the SSL from the third party.
Other SSL purchasing options are buying an SSL directly from the certificate authorities’ (CAs) website. Popular CAs are Sectigo (Previously Comodo CA), Symantec, RapidSSL, GeoTrust, Thawte, GoDaddy, and IdenTrust. You can also buy an SSL from authentic resellers such as SectigoStore.com, 101domain, ComodoSSLonline, ssltrust.com.au CheapSSLsecurity, TheSSLstore, etc. Resellers can give you much better discounts. Do thorough market research before making buying discussion.
How much an SSL certificate cost?
You would be surprised to know that the thing that serves so many crucial functions costs negligible! The basic single domain validated SSL costs less than $10/year if you buy from certificate authorities such as Sectigo (previously Comodo) or RapidSSL. Of course, the price increases when you buy a higher range of certificates. The starting (Approx.) rates of Organization validated SSL is $30/year; Extended Validated SSL is $75/year, Wildcard SSL (for subdomains is $70/year, and multi-domain SSL (for multiple domains) is $20/year.
Note: This is just approx. starting range and prices differ as per certificate authorities, vendors and ongoing deals and coupons.
You can also get free SSL from non-profits such as ‘Let’s Encrypt’ if you can’t afford the paid one. Note that you will get only basic SSL, i.e., DV SSL (not OV and EV), there won’t be any technical support available, and no warranty and site seals are provided with free SSL.
Is my website 100% secure after installing an SSL certificate?
SSL certificate is one of the founding pillars of your users’ data protection. Once the data is encrypted, it is highly unlikely to decode it. If a hacker manages to crack it, you are secured with the warranty when you get a paid-commercial SSL certificate. But there are many types of attacks that don’t involve data transmission encryption at all. XSS attacks, SQL injections, DDoS attacks, Cross-site request forgery, etc., which has nothing to do with an SSL certificate. You still have to employ other measures such as firewalls, security scans, anti-malware tools, vulnerability scans, etc., to get robust security. Some attacks are due to web visitor’s negligence, and you can’t do anything from your end to prevent them. Nevertheless, there is no alternative of an SSL certificate, and nothing can encrypt the data in transit better than an SSL certificate. It is the only thing that can remove the ‘Not secure’ sign and display a padlock sign and https in the address bar.