A key part of ensuring Website Security is to use SSL Certification.
The SSL certification process for websites started in 2014 with the Google initiative, “HTTPS Everywhere”. They awarded a higher ranking to websites with the https prefix and webmasters scurried to enable SSL certification on their websites. Websites began to flag https websites as not secure, which gave a boost to SSl certification.
Since the move to remote access and e-commerce over the last two years or so, there has been a quantum increase in the number and ferocity of malware and malware attacks. Website owners and hosts need to ramp up their Website Security to counter attacks.
Users are particularly concerned about phishing exploits taking them to fake websites, particularly sites where they enter personal banking information, and other sites that potentially download malware to infect their PCs. Again Website Security is needed to reassure them that their data is safe.
The industry-standard Secure Sockets Layer (“SSL”) technology uses encrypted connections and site-based certificates. You notice SSL because it is usually https:// not http:// in the website URL, and a small padlock appears somewhere on the browser screen.
SSL certification is now standard, and almost compulsory, all websites need a certificate. If you use SEO, then encryption is compulsory for SEO to work.
To ensure that the encryption and authentication information has not been compromised, a copy is held by a third party, a certified certificate authority (“CCA”). The CCA digitally signs the website certificate as being authentic.
When a user connects to the website, the user browser compares the website certificate with the CCA copy. Any differences, and progress to the site is blocked, or the user can ignore the error and carry on anyway. One common error is for the certificate to have expired.
In a large organisation with multiple websites, often as subdomains of a root main domain, managing individual certificates for each website can be complex. If a certificate lapses and potential users and clients can’t access the site, it could result at best in customer dissatisfaction, and at worst, a lost sale.
A wildcard certificate gets around the management issue by providing certificates for all first-level subdomains under a root domain in a single certificate. For example, if the root domain is acme.com, a wildcard certificate will provide certificates for all sites like *.acme.com. A multi-domain wildcard can provide certificates for all subdomains of a root domain. That covers subdomains of all sites like *.acme.com, for example, blogmail.mailserver.acme.com.
As creating a certificate usually attracts a fee this can be a considerable saving. However, there are ways around this.
Before leaping into free certificates, there are limitations you must be aware of.
- Free SSL Certificates only provide a secure connection. They don’t validate the identity of the website owner.
- They are much better for small and medium-sized websites. Larger organisations and high-availability sites are much more likely to need business or extended validation certificates.
- Inferior support. Because it is free, support levels are lower. If you have a problem, don’t expect an immediate response.
- Usage Limitations. Free certificate providers may have usage limitations. For example, free certificates supplied by Amazon are not available or valid in some jurisdictions. You may not be able to install the certificate on service providers who don’t use Amazon services.
A second issue is you may be forced to use other services provided by the free certificate provider. If these are not free, or you don’t need them, then the free certificate isn’t free.
The first, and best way is to use a managed service provider to host your website domain and sub-domains. They usually offer website hosting plans which include wildcard SSL certification.
That hands over SLL certificate management to a third party and removes it from your worry list. YOU can also be sure that you have a properly configured and registered certificate.
If you are hosting your own website, there are other options, but be aware that most are only free for a limited period, usually 90 days.
Free certificates are provided by Let’s Encrypt, Cloudflare, Amazon, and some other providers like FreeSSL.tech have cPanel and WordPress plugins that support the certification process. However, remember that there is no such thing as a free lunch.