What is SSL (the little padlock)?


SSL ("Secured Socket Layer") is a protocol used to encrypt the communication between the user's browser and the web server. When SSL is active, a "little padlock" appears on the user's browser, usually in the status line at the bottom (at the top for Mac/Safari users.)

This assures the user that sensitive data (such as credit card numbers) can't be viewed by anyone "sniffing" the network connection (which is an increasing risk as more people use wireless networking).

Common web site owner questions about SSL:

How do I get the little padlock on my site?

To get the little padlock, your site must have an SSL Certificate from a Certificate Authority. Once an SSL Certificate has been purchased and installed, it provides three things:

  • The ability to show a page in "Secure Mode", which encrypts the traffic between the browser and the server, as indicated by the "little padlock" on the user's browser.
  • A guarantee by the issuing Certificate Authority that the domain name the certificate was issued for is indeed owned by the specific company or individual named in the certificate (visible if the user clicks on the little padlock).
  • An assurance that the domain name the certificate was issued for is the domain name the user's browser is now on.

    • Once obtained, the certificate must be installed on the web server by your web host. Since your web host also has to generate an initial cypher key to obtain the certificate, very often they will offer to handle the process of obtaining the certificate for you.

    My web host has a "shared certificate" that I can use. Should I?

    It's still fairly common for small sites to use a shared certificate from the host. In this circumstance, when a page needs to be shown in secured mode, the user is actually sent to a domain owned by the web host, and then back to the originating domain afterwards.

    A few years ago, when SSL Certificates were quite expensive (around $400 per year), this was real attractive for new sites just getting their feet wet in e-commerce. Today, with a number of perfectly functional SSL certificates available for under $100 (exclusive of installation, etc.), it is a lot less attractive. Since your user can look a the address line of his or her web browser and see that the site asking for the credit card number is not the site he or she thought they were on, the cost savings is probably not worth the risk of scaring off a sale.

    What's the difference between the expensive SSL Certificates and the inexpensive ones?

    Usually, mostly price. Some expensive certificates have specific functions, like securing a number of different subdomains simultaneously (a "wildcard" certificate), but the effective differences between basic single site certificates are very slight, despite the wide range of prices:

    The encryption mechanism used by all of them is the same, and most use the same key length (which is an indicator of the strength of the encryption) common to most browsers (128 bit).

    Some of them ("chained root" certificates) are slightly more of a pain for your web host to install than others ("single root" certificates), but this is pretty much invisible to the site owner.

    The amount of actual checking on the ownership of the domain varies wildly between vendors, with some (usually the more expensive) wanting significant documentation (like a D&B number), and others handling it with an automated phone call ("press #123 if you've just ordered a certificate").

    Some of them offer massive monetary guarantees as to their security (we'll pay you oodles of dollars if someone cracks this code), but since it's all the same encryption mechanism, if someone comes up with a crack, all e-commerce sites will be scrambling, and the odds of that vendor actually having enough cash to pay all of its customers their oodle is probably slim.

    The fact is that you are buying the certificate to insure the safety of the user's data, and to make the user confident that his or her data is secure. For the vast majority of users, simply having the little padlock show up is all they are looking for. There are exceptions (I have a client in the bank software business, and they feel that their customers (bank officers) are looking for a specific premier name on the SSL certificate, so are happy to continue using the expensive one), but most e-commerce customers do not pick their sellers based on who issued their SSL Certificates.

    My advice is to buy the cheaper one.

    I have an SSL certificate -- why shouldn't I serve all my pages in "Secured" mode?

    Because SSL has an overhead -- more data is sent with a page that is encrypted than a page that isn't. This translates to your site appearing to run slower, particularly for users who are on dial-up or other slow connections. Since this also increases the total amount of data transfered by your site, if your web host charges by transfer volume (or has an overage fee, as most do), this can increase the size of your monthly hosting bill.

    The server should go into secure mode when asking a user for financial or other sensitive data (which may well be "name, address and phone number", with today's risk of identity theft), and operate in normal mode otherwise.


    More Resources

    Unable to open RSS Feed $XMLfilename with error HTTP ERROR: 404, exiting

    More E-Commerce Information:

    Related Articles

    How to Generate Cash from Your Web Site
    The Internet has changed the way people do business today. Most business owners don't have to rent an office in order to run their business.
    Electronic Commerce Tax Jurisdiction and Principles of Permanent Establishment
    The principle of "permanent establishment" is very important for avoidance the conflict of law of matter connected imposition of taxation. In the absence of a permanent establishment, a country where goods or services are sold has no jurisdiction to tax the resulting profits.
    Direct Marketing isn't all Brute Force
    There are so many metrics surrounding direct marketing. So many facts, figures, test results and other sundry measurements.
    Is It Still Possible To Make Money On The Internet?
    Many people are saying that the internet is dead. So is there still money to be made on the Internet?The answer is a definite YES.
    The Webmasters Assistant
    There are many tools available to a webmaster to analyse website traffic allowing them to monitor the number of visitors, see what pages have been accessed and even the length of time each visitors spends accessing the website.However, despite the considerable data available what is missing is anything to tell the webmaster what the visitor was thinking.
    Is Your Website Credit Card Friendly?
    In my last column I discussed the process of credit card enabling your brick-and-mortar business. I pointed out that research has shown that accepting credit cards can help increase revenue and enhance cash flow.
    Online Lead Generation: Can it Work for My Business?
    Business-to-business service providers have a wide range of tactics they can deploy to gain new clients or customers. Direct mail; cold calling; TV, radio or print advertising are all ways in which B2B services gain new customers.
    ECommerce Scenario in Pakistan
    Pakistan with highest growth rates in 1960s and bad politics in 1980s and 90s but, the stage is totally changed in 2000s as the economy is managed by those who once run the most successful Global Financial Houses. Today Pakistan has achieved 8.
    Getting Started: Creating a Business Plan
    You're excited. You have a great idea for a profitable online business.
    Ten Reasons Why Online Surveys Are The Future of Marketing
    Customers are tough cookies. They're extremely media awareand increasingly cynical - it's a clever marketeer who canget under their skin.
    A Beginners Guide To Setting Up A Successful Online Store
    A beginner's guide to setting up a successful online store Online selling is by no means a simple task. To sell products online not only requires making use of high end marketing strategies but also involves lots of planning.
    The Clickbank Crash of 2003: Lessons Learned
    I had a rude awakening recently. I checked the days worth of sales from one of my sites and there were none.
    Electronic Commerce and WTO
    The Internet may not be useful for all businesses, nor do all have to develop an Internet information strategy. Some businesses are concerned with the start-up costs of connecting such as purchasing hardware and software, subscribing to an Internet connection or service provider, and training staff.
    Stakeholder Analysis and Stakeholder Management
    What is a Stakeholder?Try "define: Stakeholder" in Google and you will be surprised by the huge differences in the way this simple word is defined. It perhaps proves - in a way - just how confused people get about Stakeholder Management and how inconsistent the different approaches to it can be!My simple definition is "anyone affected by a decision and interested in its outcome".
    Top 5 Dot Com Myths Debunked
    Most people who get into business know what's involved. They have completed hours of research before getting into it.
    How To Eliminate Credit Card Refunds From Digital Thieves
    Can you encounter the number of times where a Credit Card Sale was generated, only to receive a "Refund Notification" from your contracted e-commerce processor on behalf the "customer"?Welcome to the electronic world of "cyber-shoplifting".Unscrupulous surfers, disguised as potential "customers", systematically opt to ordering goods (using credit cards) in electronic form of delivery, only to request a refund minutes or days later after receiving the product.
    Google Catalogs - Old Gashioned Mail Order Meets High Tech Search
    In addition to Google's Froogle shopping service (still in beta), which features a searchable database of online merchants, Google is also beta-testing their Google Catalog service. Google Catalogs provides a searchable central repository of hundreds of mail-order catalogs.
    How To Accept Credit Cards Online
    Anyone with an online business, whether for auctions,services, or virtually any type of product, has asked thesame question at some time during their quest to createthe ultimate online business - "How do I accept creditcards?"Since over 90% of all transactions on the Internetinvolve customers paying by credit card, acceptingplastic money rates a must for almost any business.The problem for most small online business ownersinvolves the high cost of setting up and maintaining acredit card merchant account.
    Coupons & Rebates
    Yes, it's true, coupons are not just for newspapers anymore. Not to be a downer, but I personally hate the things.
    Starting An E-Commerce Business
    The development and expansion of the Internet has made business opportunities, once only available to the wealthy, available to nearly everyone. In the past, opening a business was a huge commitment in terms of finances and risk.