Does Your Website Really Need an SSL Certificate?
It has become common knowledge by now that Google has decided to favor HTTPS websites over HTTP, assuming all other factors such as responsive design, page load times, and quality of content remain the same.
This decision by Google has sparked a good deal of debate on the Internet, with more and more webmasters moving their websites to HTTPS. Furthermore, it has also provided several web hosts and SSL providers with an opportunity, wherein they can try to upsell their SSL certificates by telling customers that their websites “need the SSL certificate in order to do well”.
The question is, do you really need an SSL certificate for your website? In this post, I will attempt to answer this question.
When Exactly Do You Need an SSL Certificate?
There are certain cases or scenarios when an SSL certificate is vital and at times even mandatory for your website. Take up these situations, for instance:
- You are collecting sensitive user information, such as an address and other details that can be used to identify a person. In such cases, an SSL is not compulsory, but nearly crucial and essential to have, because the SSL sign will emphasize trust and reliability among your users.
- You are collecting payment information, such as credit card details, from your users and storing them on your site. In such cases, an SSL certificate is compulsory to have, and in the absence of one, you should not be collecting such information.
- You are selling a product, but not collecting any payment information. Say, you are using PayPal as the payment gateway, and as such, the user does not need to give you credit card details. In this case, an SSL certificate is definitely not needed. However, having a simple SSL certificate will be the recommended way to go — again, for the sake of trust and reliability.
- You are running a membership site, say a forum, wherein users can signup and register themselves (with or without payment). In such case, an SSL certificate is rarely needed, unless you are collecting payments for premium memberships.
- Yours is a blog. An SSL is not needed, full-stop.
As can be seen, we need an SSL certificate not depending on the SSL in itself but on the basis of the nature and function of our website. In simple words, if you are collecting sensitive user information, or offering a product or service wherein you would want your users to feel secure while trusting you, go for an SSL certificate. For all other purposes, while SSL certificates are always a good thing to have, they are not mandatory for the health of your website. Therefore, it is wiser to make your own decision on the basis of your needs and considerations, rather than falling prey to companies that might be trying to sell you an SSL certificate that you can do without.
“I got an SSL certificate because Google asked me to.”
I am pretty sure many users are already seeing this as a viable answer to the question “Why did you get an SSL certificate?” In fact, I can already picturize many web hosts using “Google loves SSL” as a handy reason for selling SSL certificates (much like there used to be some hosts that used to sell dedicated IPs as “good for SEO”).
While it indeed is true that Google has decided to favor HTTPS over HTTP, there are various other factors that go a long way in determining the ranking of your website. For instance, your SSL certificate will be of little use if:
- Your content is not unique or is below par
- Your website takes ages to load
- Your website is not responsive and does not work well on mobile devices
- You do not have a sitemap, have way too many 404s, etc.
HTTPS is *one* of the many factors that Google is considering, so while it surely is a good thing to have one for your blog or website, it is not the end of the world if you do not. After you have your SEO and other tidbits in order, if your budget does allow, go for an SSL certificate. But an SSL certificate shouldn’t be #1 on your SEO strategy.
Speaking of budget, assuming you do decide to go for an SSL certificate, where and how should you buy one?
Purchasing Advice for SSL Certificates
The majority of the web hosts that I have seen tend to sell SSL certificates at higher prices. If you are buying an SSL certificate simply for the sake of HTTPS, go for a PositiveSSL or RapidSSL that costs about $10 per year, and while you’re at it, purchase it for two years to bring the price further down by a dollar or two. Namecheap and Name.com are good choices for this purpose.
If you are really on a budget, you can get a free SSL from Comodo, though you will need to renew it every 90 days. Another very useful and truly awesome option is Let’s Encrypt — a rather new service that gives you HTTPS for your site, free of cost. It is currently in public beta, and requires some tweaking to do before you actually get the SSL up and running, but it is a perfect choice for anyone looking to add HTTPS to their site without spending money. There is a cPanel plugin that allows for installing free Let’s Encrypt SSL certificates on domains with just a few clicks that is slowly being implemented by web hosts. MonsterMegs, SiteGround, HawkHost, StableHost, CrocWeb, WebHostFace, MightWeb, Squidix, MDDHosting and VeeroTech all have recently added it to their hosting plans.
Conclusion
Depending on your needs and budget, you can decide whether or not to move your site to HTTPS. Once again, it is a better idea to make your own decision here, rather than listen to phony “good for SEO” advice and opt for an SSL certificate even though your budget may not be feasible for it.
Also, note that migration from HTTP to HTTPS is a big deal, even though it is pretty easy to accomplish. You will need to redirect traffic from the non-secure version of your site to the secure one. Plus, if you have had your website without HTTPS for long, all links shared on Facebook and other social networks will be sans SSL, and as such, you may lose your social proof if you just install the SSL certificate and forget about it. Having a redirect rule will be the way to go from here.
Lastly, for users running dynamic CMS, such as WordPress, it might happen that your website is using SSL, but your media, such as uploaded images, are accessible without the SSL. This will hardly reflect in your website’s search rank or performance, but the green https:// in the address bar might not be visible (because the images on the concerned page will be without HTTPS and so the page is not fully “secure”). You can fix it by forcing all content to be served via HTTPS (WordPress users have a very handy plugin for this purpose).
Will you be installing an SSL certificate for your website anytime soon? If so, which certificate have you decided to opt for? Share your views in the comments below!
Sufyan is a contributor to a variety of websites and blogs about technology, Linux, open source, web design, content management systems and web development. Learn more about his works on sufyanism.com
It might be worth mentioning that many hosts still require a dedicated IP if you want to use SSL. In fact, they often demand justification, due to the shortage of IPv4 addresses. “Because Google said I should,” isn’t one of the accepted reasons. ;)
I got curious and started poking around on my new host, MDDHosting. Sure enough, Let’s Encrypt is available. But even easier, MDDHosting appears to have implemented “free SSL for everyone, almost automatically.” I pointed to one of my sites with https:, and lo and behold, I saw a green padlock. SSL is being provided by cPanel/Comodo, and I didn’t have to do a thing to get it. I did have to clean up some non-secure resource calls on some of my pages, and then went into cPanel to do a wildcard redirect from non-SSL to SSL, but that was it.
Granted, you don’t get the “double-secret, super-secure” padlock in Edge and Safari, which require an EV cert – you get a gray padlock, instead, but without any other visible warning. But in Chrome, Firefox, and Opera, it’s green padlock all the way.