By Sunny Golovine

Updated May 20, 2020

Ultimate Guide to HTTPS and SSL Certificates

In today's world of privacy concerns and data breaches, it's good practice to secure your site with an SSL certificate

In today's world of privacy concerns and data breaches, it's good practice to secure your site with an SSL certificate

So what is HTTPS. And what are SSL Certificates?

So up until this point I’ve been referring to SSL Certificates and HTTPS as different things and technically they are, but one is a means to another. First off let’s unpack what HTTPS is. HTTP stands for The Hypertext Transfer Protocol and it’s the method in which websites get delivered to your computer and the S in HTTPS simply stands for secured. Whenever you connect to a website, if the website is at http://, this means that data transferred to and from the website to your browser is unsecured and can be read by anyone. On the flip side if you are accessing a website with https:// before the address, it means that the site is secured with HTTPS and all the data being transferred is encrypted and cannot be read by anyone but yourself and the website you are interacting with.

So why do I need it?

Notice how I mentioned in the previous section that data transferred over HTTP could be read by anyone? Let us take a small detour and go back 10 years to the year 2010. In 2010 most major websites either didn’t offer HTTPS or had it but didn’t enforce it (ie redirect to it). This all came to a head in 2010 when an application called Firesheep was released. This application exploited the HTTP loophole of sending unsecured data and let you “hijack” people’s sessions (and I should clarify here the application was not meant to be malicious, rather it was released by someone in the security community as a way to light a fire under the rear of every web developer and force them to secure their websites). So if you were sitting at a Starbucks browsing Facebook or looking at your email over an HTTP connection, someone could hijack your session and instantly be logged in with your credentials on their computer.

The craziest part about all of this is it freaking worked!. I remember testing it with a few friends at work and I still remember the feeling of my jaw hitting the floor when it worked like a charm. Needless to say we updated our site to HTTPS that day and so did every other website on the internet. And since then any site that doesn’t default to HTTPS will be shunned by search engines and web browsers.

Great so where do I get it? And how much is it going to cost?

First off, how much is it going to cost: Nothing. While there are plenty of paid SSL certificates providers out there, they are for specific use cases and you probably don’t need one. When it comes to SSL certificates I will only recommend one provider to my readers and that is Let's Encrypt. Web Hosting providers will often try to upsell you on SSL certificates and other sites will list top 10 for places to get them but as a seasoned web developer I am doing the ethical thing and only recommended the one.

Why Let's Encrypt? The Let’s Encrypt service is a nonprofit service provided by The Internet Security Research Group. This is a nonprofit foundation and I trust them because unlike virtually every other CA (Certificate Authority) out there, they are one of the very few that offer a no questions asked, no signup required SSL certificates. I use them for my personal websites and as the default CA for my client’s websites as well unless they ask for something different.

Let’s Encrypt has a list of web hosting providers that use their service to provide SSL certificates to their customers (link somewhere here). If your domain provider is on that list then great you’re all set! If you are still looking for a domain provider I suggest doing business with one that is either on that list or provides their own SSL certificates for free (like Namecheap).

However if you fall into the camp of already having purchased your domain but purchasing one from a provider that isn’t on the list then you can still get an SSL certificate from Let’s Encrypt but you will have to do it manually on your webserver. This can be done rather simply using a tool called CertBot. Certbot is developed by Let’s Encrypt and the Electronic Frontier Foundation and is an open-source tool that lets you install SSL certificates on a wide array of different web server setups. I would normally post a guide on how to do this but Certbot has a much better guide than I could ever possibly put together so you can check it out here.

Having a website secured with an SSL certificate in 2020 is not optional, it’s required. Luckily there are wonderful nonprofits out there that provide this at no cost to anyone with a website. If you decide to encrypt your website using Let’s Encrypt and your website makes a bazillion dollars, consider contributing to their cause.