What is SSL in SEO

SSL encryption and SEO: you need to know that!

SSL has been a part of online marketing for many years. People tend to associate it with online security, but the truth is that few know what SSL really is and what it does. In this blog post we break down SSL for you and answer some important questions, including how SSL works and why it is so important for SEO.

Table of Contents

1. What is SSL?
2. What is the difference between SSL and TLS?
3. Is HTTPS the same as SSL?
4. What are the functions of SSL?

5. Why is SSL so important for SEO?

5.1 SSL is a ranking factor

5.2 The waiver of SSL can drive your users away.

6. How does SSL work?

7. SSL Certificates

7.1 What is an SSL Certificate?

7.2 What types of SSL certificates are there?

7.3 How much does an SSL certificate cost?

7.4 Are there free SSL certificates

7. 5 Encryption strength and protocol support

8. SSL and Mixed Content
9. SSL and the GDPR
10. Conclusion

1. What is SSL?

SSL is an acronym that stands for Secure Sockets Layer. Put simply, SSL is a protocol for encrypting communications transmitted over the Internet, which is considered a key component of technical SEO.

The SSL protocol can be used in various types of electronic communication. One of the most common is communication between a website (server) and a user (browser). However, SSL is also used to encrypt communications over other systems, such as email or messaging applications. For example, Gmail uses SSL to encrypt email by default. You can see this by checking the header of every email stored in your Gmail account, as shown in the following example:

2. What is the difference between SSL and TLS?

SSL and TLS: What's the Difference Between the Two? This is probably one of the most confusing topics, although the answer is pretty straightforward. Let us explain to you.

Technically, SSL no longer exists. So why are people and companies still talking about it? We will answer this question in a few seconds. First of all, you should know that SSL is an encryption protocol that was developed by Netscape in the 1990s. The first version of SSL - SSL 1.0 - was never released due to several security flaws. The second version - SSL 2.0 - was released in 1995 while the third version - SSL 3.0 - was released in 1996.

After SSL 3.0, Netscape stopped participating in the development of the protocol. His role was taken over by the Internet Engineering Task Force (IETF), which released the next version of SSL in 1999. However, since Netscape was no longer involved, the name of the protocol was changed from SSL to TLS (Transport Layer Security). Several TLS versions have been known since then: the first - TLS 1.0 - was released in 1999; the second - TLS 1.1 - was released in 2006; two years later the third version of TLS - TLS 1.2 - should be published; the latest version of TLS - TLS 1.3. - was released in 2018, ten years after TLS 1.2 was released. Here is a table to help you illustrate this better:

Are TLS 1.0 and SSL 3.0 completely different protocols? No. In fact, the differences between the two protocols are not that great. Think of TLS as an upgrade or successor to SSL, just by a different name.

So if SSL no longer exists, why is everyone still saying SSL instead of TLS? The truth is that despite the release of TLS 1.0 and its subsequent versions, people and businesses continue to use the term SSL to refer to the protocol. In short: SSL and TLS have become synonyms.

Important NOTE: In this post we use the term SSL as a synonym for TLS.

3. Is HTTPS the same as SSL?

This is another question that creates a lot of confusion. Let's shed some light on the darkness.

First of all, SSL and HTTPS are not the same thing. As we said at the beginning of this article, SSL is a protocol used to encrypt communications over the internet. HTTPS, on the other hand, is the application of SSL to the HTTP protocol. Think of it this way: Just as water can be used for different purposes (e.g. watering plants, cooking or cleaning), SSL can be used to encrypt data transmitted by different applications (e.g. data sent by a browser transferred to a server, data transferred from one email account to another email account).

In the case of HTTPS, the SSL protocol is used to encrypt communication between a website (server) and a user (browser). To do this, the website owner must activate SSL by installing a so-called SSL certificate (more on this later).

Finding out if a website owner has SSL enabled is actually pretty easy. The only thing you need to do is look at the web address bar. If you see a padlock next to the URL, it means the website has SSL enabled. Here is an example from Chrome:

 

Here is the same example but with Firefox:

 

And here is the same example, this time with Microsoft Edge:

Most browsers indicate that a website has SSL enabled the same way: by displaying a padlock next to the URL. However, there may be differences depending on the type of SSL certificate the website has installed. We'll get into this in more detail in a later section.

 

Back to top

4. What are the functions of SSL?

Traditionally, SSL fulfills three functions: it encrypts communication (1), it authenticates the parties (2) and it ensures data integrity (3).

The first function SSL performs is to encrypt electronic communications sent over the Internet. So if a third party intercepted a communication, the only thing that third party would see would be an encrypted message.

In the case of websites, SSL means that the data exchanged between a user and a website is encrypted. This includes data that is sent via a contact form or exchanged via a chat. Does this mean that websites that are not collecting data shouldn't care about SSL? No. In fact, non-SSL content injection websites can fall victim to a third party injecting content onto a website without the website owner's permission or knowledge. The classic example is that an ISP injects advertisements into a website that has not enabled SSL, as in the following example:

(Source: The SSL Store)

The second function of SSL is to authenticate the parties exchanging electronic communication. It does this through a process called an SSL handshake. More on this in Section 6.

Finally, SSL ensures data integrity, i.e. it prevents third parties from manipulating electronic communication before it reaches its destination.

5. Why is SSL so important for SEO?

5.1. SSL is a ranking factor

Google strives to deliver the best but also the safest search results. For this reason, the American company announced in 2014 that HTTPS would become a ranking signal:

“For these reasons, we have been running tests over the past few months to see if websites are using secure, encrypted connections as a signal in our search ranking algorithms. We have seen positive results, so we have to use HTTPS as a ranking signal. At the moment it is only a very lightweight signal - it affects less than 1% of global queries and has less weight than other signals, e.g. B. Quality content - while we give webmasters time to switch to HTTPS. But as time goes on, we may decide to step it up as we encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web. "

Does this mean that websites using HTTPS do significantly better than HTTP websites? Research seems to rule this out. In this article, for example, Neil Patel analyzes several studies and comes to the conclusion that there is little correlation between the introduction of HTTPS and achieving better rankings.

However, website owners shouldn't neglect HTTPS, especially considering that it can act as a tiebreaker. This was confirmed by Google's Gary Illyes in 2015. In his opinion, the website will rank better with HTTPS if two websites show signals of the same quality, but only one of them has HTTPS enabled.

So is there a reason not to switch to HTTPS? Not really. In fact, a ranking signal should be reason enough. On the other hand, HTTPS seems to be the norm these days as millions of websites are currently using the encryption protocol. So if your website is still only available on HTTP, you should make the switch as soon as possible. If you need help with the changeover, my colleague Jasper wrote a post in which he shows you how to switch from HTTP to HTTPS in 8 easy steps.

5.2. Not having SSL can drive your users away

Besides being a ranking signal, SSL has several other advantages. Perhaps the most important is that it prevents your users from running away. The reason for this is that websites without SSL are usually marked as unsafe by the browsers. Here is an example from Chrome:

(Source: Florida Department of Health)

And here is the same example with Firefox:

(Source: Florida Department of Health)

In short, SSL will likely improve your bounce rate if you choose to switch.

But is the bounce rate the only KPI affected by a switch from HTTP to HTTPS? Probably not. Everything that users do on your website will also be affected. This also includes lead generation, especially if your lead generation process requires you to provide personal data (e.g. submitting a contact form, making a payment). Wouldn't you also feel more secure if you gave your credit card number to a website that isn't marked as unsafe? The data also supports this assumption: According to a study by GlobalSign, no less than 84% of users would abandon a purchase on a non-HTTPS website.

6. How does SSL work?

The process of encrypting communication between a server and a browser begins with the so-called SSL handshake.

The first stage of an SSL handshake is based on asymmetric encryption (also known as “public key encryption”). With asymmetric encryption, a public key is generated by the server and used by the browser to encrypt communication. As the name suggests, the public key is made public. However, the messages encrypted with the public key can only be decrypted with a private key. This private key is kept secret by the server and is not passed on to third parties.

So how does an SSL handshake work exactly? Here is a brief description:

  • First, the browser connects to the server hosting the website and requests its identification.
  • Next, the server sends a copy of its SSL certificate and a public encryption key.
  • The browser then verifies the server's SSL certificate and uses the public encryption key to generate a session key. This session key is then sent to the server.
  • Finally, the server decrypts the session key with its private key. Once this is done, the server sends a confirmation message to the browser using the session key.

After the server sends the confirmation message to the browser, all communication between the two is encrypted using symmetric encryption. In contrast to asymmetric encryption, with symmetric encryption all communication is encrypted and decrypted with the same encryption key.

Why does SSL start with asymmetric encryption and then move on to symmetric encryption? The reason is easy to understand: Using asymmetric encryption for all communication would require too much computing power.

7. SSL Certificates

7.1. What is an SSL Certificate?

An SSL certificate is a digital file that encrypts communication between a website and a user. For this to be possible, the SSL certificate must be installed on the server hosting the website.

7.2. What types of SSL certificates are there?

SSL certificates can be classified based on three criteria: their level of validation (1), the number of domains they cover (2) and the authority that issues them (3).

Regarding the level of validation, there are the following SSL certificates:

  • Domain Validated (DV) certificates. These certificates are the cheapest and easiest to obtain as they only require domain ownership verification to be issued.
  • Organization Validated (OV) certificates. These certificates are slightly more expensive than DV certificates and take a little longer to obtain (between 1 and 3 days). The reason for this is that in addition to domain ownership, the identity of the organization that owns the domain is verified.
  • Extended Validation (EV) certificates. These are by far the most expensive SSL certificates. It usually takes 1 to 2 weeks to get one. In addition to ownership of the domain, the identity of the organization that owns the domain is also thoroughly verified. In this sense, the domain owner is obliged to share a number of legal documents with the authority issuing the certificate and to receive a representative of the authority on their premises.

Note that some browsers may display the web address bar differently depending on the level of validation of the certificate. Chrome and Firefox, for example, make no difference. However, Microsoft Edge distinguishes between EV certificates and DV or OV certificates. For example, here's how an OV certificate appears in Edge:

Here's how Edge displays the address bar when a website has an EV certificate:

Regarding the number of domains they cover, there are the following SSL certificates:

  • Single domain certificates. These certificates only cover one domain name and only one subdomain within this domain (e.g. www.example.com). Single-domain certificates are available with domain, organization and extended validation.
  • Wildcard certificates. Similar to single-domain certificates, wildcard certificates only cover one domain name. However, they cover several sub-domains within one domain (e.g. www.example-com, mobile.example.com, support.example.com). Wildcard certificates are not available with extended validation.
  • Multi-domain certificates (also called “Unified Communications Certificates” or “Subject Alternative Name Certificates”). These certificates cover multiple domain names and multiple subdomains within these domains. Multi-domain certificates are available with domain, organization and extended validation.

Finally, depending on the authority that issues them, SSL certificates can be:

  • Certificates issued by a Certificate Authority (CA). These are issued by a third and independent party. Examples of certification bodies are DigiCert, Sectigo or Let's Encrypt.
  • Self-signed certificates. These certificates are issued by the website owner and not by a third party. However, since most browsers only trust SSL certificates issued by a certification authority, self-signed certificates are not recommended.

7.3. How much does an SSL certificate cost?

The price of an SSL certificate essentially depends on two factors: its level of validation and the number of domains it covers.

We looked at the prices offered by Sectigo, one of the most popular certification bodies, and made a brief overview:

(Source: Sectigo)

Important NOTE: The prices listed above correspond to the cheapest options and do not include discounts that are granted when purchasing a certificate for several years.

Includes three domains.

7.4. Are there free SSL certificates?

If the prices listed in the previous section are beyond your budget, you're in luck: there are also free SSL certificates!

Before you decide to install a free SSL certificate, you need to make sure that your hosting provider accepts it.On the other hand, you have to be aware that free SSL certificates have a short expiration date (usually 60 to 90 days), so you will have to renew them from time to time. After all, you'll have to install the certificate yourself, so make sure you know how to do this or hire someone to do it for you.

Where can you get a free SSL certificate? Here are three of the most popular options:

  • Let's Encrypt. Let's Encrypt is a certification authority (CA) that offers free SSL certificates, including single-domain, wildcard and multi-domain certificates. Many hosting providers offer website owners the option of installing a Let's Encrypt certificate from cPanel, which makes the entire process much easier.
  • SSL For Free. Installing a certificate from SSL For Free is usually pretty straightforward. However, we recommend looking for instructions if you are not entirely sure how to install it. If your website is hosted on GoDaddy, you can watch this video.
  • Cloudflare. Cloudflare also offers SSL certificates for free. As with SSL For Free, we recommend looking for a tutorial if you are having trouble with the installation process. For GoDaddy users, make sure to check out this video.

In addition to the options listed above, you should note that many hosting providers such as Siteground or Inmotion Hosting provide a free SSL certificate in their packages. These certificates are usually issued by Let's Encrypt and can be easily installed with a few clicks of the mouse.

 

Back to top

7.5. Encryption strength and protocol support

There are two confusing topics within SSL: encryption strength and protocol support.

The encryption strength refers to how strong the encryption key is. Most SSL certificate providers offer certificates with an encryption strength of 256 bits. However, whether 256-bit encryption can be used depends on the server and browser. For example, if the server can handle 256-bit encryption but the browser cannot, the encryption process will not work. Both have to be able to handle it. For this reason, many SSL certificate providers say that if the server and browser do not support 256-bit encryption, they will lower the encryption strength to 128-bit encryption.

On the other hand, websites can support multiple protocols. To find out which protocols your website supports, simply run a scan with the SSL Labs tool. Here is the result for www.more-fire.com:

(Source: SSL Labs)

As you can see, our website can support up to 4 protocols (TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3).

Why do websites support multiple protocols? The reason is simple: not all servers or browsers may support the latest version of the protocol. If, in this sense, a server supports TLS 1.3 and TLS 1.2, but the browser only supports TLS 1.2, it is still possible to establish an encrypted connection between the two protocols with TLS 1.2.

So far, not all browsers support TLS 1.3. These include Baidu, Opera Mini, Opera Mobile or KaiOS:

(Source: caniuse.com)

8. SSL and Mixed Content

Mixed content occurs when a website offers content that is available in both HTTP and HTTPS. Websites that host third-party content over HTTP are the classic example.

The way browsers draw attention to mixed content varies greatly. In Firefox z. For example, a padlock with a warning sign appears in the address bar:

(Source: Google samples)

In Chrome, however, the page is marked as unsafe:

(Source: Google samples)

Both examples are from Google, which takes mixed content very seriously. In fact, in late 2019, Google announced that Chrome would start blocking HTTP resources hosted on HTTPS websites:

“Today we announce that Chrome will gradually ensure that https: // pages can only load secure https: // subresources. In a series of steps explained below, we will start by default by blocking mixed content (insecure http: // subresources on https: // pages). This change will improve user privacy and security on the web, and provide users with a clearer browser security UX ”.

If your website hosts elements in both HTTP and HTTPS, make sure that the HTTP elements are removed or made available in HTTPS. If you need help finding and fixing mixed content issues, Google provides this very helpful guide.

9. SSL and the GDPR

Last but not least, you are right if you are wondering whether SSL can help you in your efforts to comply with the GDPR!

The European regulation imposes an obligation on companies to take technical and organizational measures to ensure the security of personal data, using encryption as an example. With this in mind, if your website processes personal data, consider SSL as a first and fundamental step towards compliance.

 

Back to top

conclusion

As a key component of technical SEO, SSL offers website owners several advantages. This includes the encryption of the communication between server and browser as well as a slight improvement of the rankings. On the other hand, since SSL certificates can be purchased at little or no cost, the lack of such a certificate is no longer an excuse.

Outside of his work as a digital consultant, Nelson is a
Fan of metal music and a true encyclopedist. He has
many interests including history, psychology and
Economy.