Much like resort fees at hotels, secure sockets layer certificates (referred to as SSL certificates) for websites are basically a requirement that cannot be avoided without a huge headache. What exactly is an SSL certificate, and why do you need it?
Back in the day, an SSL certificate was optional. Sharp-eyed web surfers could see that some URLs started with “http://” and some with “https://” — the “s” stands for “secure.” It’s an indication that the website has been secured by one of a few dozen organizations known as certificate authorities.
An SSL certificate means that the website is what it says it is, not a means to trick you into a scam. The certificate ensures that data is encrypted from your browser all the way through to the website, preventing bad guys from stealing data such as your credit card information or your username and password.
In recent years, most, if not all browsers, including Chrome, Edge, Firefox, Safari and Brave, have made it difficult, if not impossible, to browse a site that doesn’t start with “https.” This means that if you are putting up a website, regardless of the size of your organization, you need to secure your website with an SSL certificate.
Despite the fact that an SSL certificate is virtually a requirement for all websites, hosting companies still separate out the cost, which can cause confusion. If all you need to do is secure a single, public-facing website, by all means, buy the certificate from whomever is hosting that site. It’s well worth the (literally) few dollars you might save by acquiring your certificate somewhere else, even if you could get one for free.
But if you have a custom-built website, you must acquire an SSL certificate from one of several vendors. Popular vendors include Comodo, which is typically a less expensive option, or titans such as AWS and GoDaddy.
There are also free options; the most popular is Let’s Encrypt. Why would you pay for a certificate when you can get a perfectly good one for free? It’s about the level of security. Most, if not all, free certificates don’t provide as much security as those that are purchased. E-commerce sites, for example, typically require a paid certificate. But if you are just running a simple website to promote your business, chances are that a free certificate will more than suffice.
One annoyance of an SSL certificate is that it can protect only a single domain name, such as www.yourcompany.com. If you want a separate website for aloha.yourcompany.com, you will need to acquire another certificate. Or, you can acquire a wildcard certificate, which can be used to certify everything in the yourcompany.com domain. Wildcard certificates are a bit more tedious to maintain, as you must save them somewhere if you want to use it on multiple servers.
Like seemingly everything else these days, scams related to certificates abound. Even those who have free certificates get spammed with messages telling them the certificate needs to be renewed — “enter your credit card info now!” Folks should always take heed when messages like these arrive. Oftentimes the messages are “legitimate” in the sense that your certificate will be renewed, just by a different vendor and at a significant cost increase.
John Agsalud is an information technology expert with more than 25 years of IT experience in Hawaii and around the world. He can be reached at jagsalud@live.com.
