It’s Sunday, February 25, 2018 in Austin, Texas

Wondering About https and SSL Certificates?

Here's a blog to help clarify things

A woman holding a secure symbolAs follow-up to my blog on stock photography I'd like to share a list of favorite photographers on Dreamstime: Everything else is just someone elses logo (like Verisign) and in our opinion really doesn't have much value. It's not something the majority of sites have or that people look for.

Many of our customers use Hostgator and an SSL Certificate with their Hostgator business level account.  If you are customer you can get a 'secure' graphic from them to place on your site.  We're sure most major hosting companies offer something similar. But it is tied to the specific domain name and not the IP address, so the https:// prefix can't be used for checkout portion until the site is live and using your domain name.  So you won't see the graphic or https during the design stage of your site.

That is why IMHO, all the other stuff is kind of worthless -- either the data is encrypted with SSL Certificate, or it isn't. That is what online buyers look for.

Verisign was one of the first SSL issuers, but they were ridiculously expensive. Functionally there is no difference between the encryption level of a Verisign or say a GoDaddy Certificate. It's really only different in  name. The validation required and difficulty of the process that you must complete to obtain the different level certificates may vary, but the encryption provided is the generally the same. Higher validation levels means the SSL issuing company has gone to greater lengths to determine the identity of the party requesting the certificate. For many small businesses the higher level of validation is actually cumbersome as some require you to fax in articles of incorporation, etc. Proving you "control" a domain by responding to an email is the lowest level of validation. Most people could care less about a "Verisign" logo -- it really means nothing much other than perhaps that you've overpaid for your SSL certificate. Maybe in the early days of the web it had some special cachet, but probably not now.

The only thing that really matters is if the page uses https:// in the prefix, which triggers the display of a lock on people's browsers (actually on the browser itself)  -- that lock image's location depends on the different browser, some display in the status bar at the bottom, and some display it near the URL at the top.

NOTE -- for technical and encryption related server overhead reasons, sites don't serve up all pages via https://, the protocol is generally only used on login pages, or pages where personal data is collected or displayed. Your front page wouldn't (and shouldn't) use https://