Posted on by

SSL and trust

We can all agree on this: security is important, as is trust.

Does a pretty seal from an SSL certificate provider create trust? Doubtful. The provider’s own claims aside, it’s marketing fluff.
Oh, it used to provide them with some extra Google juice (one more link to them) but Google’s algorithms doesn’t care for that any more. Good!

What Google (and others) do care about is security, all sites should use SSL. For everything.
Expensive? Not really. Let’s Encrypt is free, and updates can be fully automated (scripted). Quite shiny really.

Let’s Encrypt only does domain validation, so a user sees the green lock and a “Secure” indicator. If you want company validation, you need to use another provider and pay their fees. Do you need that? That’s up to you. We reckon that in many (if not most) cases, you don’t really. It might depend on whether your clients are informed enough to care for SSL, and then whether they know (and care) enough to discern which indicators actually have real security meaning and which are just fluff. Tech geeks aside, few people do. We’re not saying that is brilliant, but it is reality. Do people care for pretty seals, and do we want to feed that realm of misinformation and false security? We hope you don’t go that path, because if we really care for security, this just distracts without solving the real issues. Doing things you technically don’t believe in won’t create real trust, as it’s not genuine. And whatever marketing/sales types tell you, you can’t fake genuine. Increasingly, people see right through it. Which is awesome! If your users know enough and care to ensure that your site is really owned by your company, then yes, a certificate with company validation makes sense.

Actionable task

If your publicly facing web or API servers aren’t using SSL for everything yet, you’ll want to spend some time to fix this. Real security aside, it affects your search engine ranking. If web pages pull in logos, javascript or even stylesheets from third parties, make sure those too use https as otherwise browsers produce “mixed content” warnings.

References

Posted on by