We take a detailed look at SSL certificates, discuss the benefits they can offer your charity, and explore how you can use them
Imagine that a supporter makes an online donation to your charity, only to discover that the website they have visited is a fake one and the donation has gone straight into the pocket of a hacker.
It’s a scenario that highlights the importance of trust. Before donating, a supporter needs to be able to trust that the charity website they visit is genuine. They also need to trust that their credit card details and any other details they provide are secure so they can’t be intercepted by a hacker.
That’s where SSL certificates help. Using SSL certificates means donors can verify your website belongs to your charity and personal information will be secure while they make a donation, thanks to the use of hacker-proof encryption. There are other benefits to using SSL certificates, too, including:
In this article, we will run through the benefits of using SSL certificates to help you can get started.
SSL stands for Secure Sockets Layer, which was a standard security technology for establishing an encrypted link between a browser and a website. SSL has now been replaced by a technology called Transport Layer Security (TLS), so SSL certificates should more accurately be called TLS certificates.
A digital certificate is a small computer file stored on a web page which certifies that the web page belongs to your charity. The obvious question, then, is why should anyone trust the certificate?
The answer comes down to who has verified the certificate. If the certificate has been verified by a “trustworthy organisation”, you can trust what the certificate certifies.
But what is a “trustworthy organisation”? It turns out that reputable web browsers like Firefox, Chrome, Safari, and Edge, as well as some computer operating systems such as Windows and MacOS have a list of organisations that verify certificates – known as Certificate Authorities (CA) – that have been examined and can be trusted.
That means that if a digital certificate can be trusted if it has been verified by a CA that is in your browser’s or operating system’s list. If it says that the website belongs to your charity, visitors can be sure that it really does.
If the CA is not trusted by your browser or operating systems then a warning will appear on the screen.
Websites secured with SSL certificates have a web address starting with "https://" rather than "http://.". A padlock icon is also displayed in the browser before the web address.
Clicking on the padlock will reveal details about the certificate, which will usually include the name of the owner and the name of the CA.
This is where things get a little more complicated – and to understand the answer to this question completely you need to know about something called Public Key Infrastructure (PKI).
But all you really need to know is that an SSL certificate also includes an encryption key that a visitor to your site’s web browser can use to encrypt credit card details and other information so that it can be sent to your charity’s site securely. Should a hacker intercept the details they would not be able to read them because they are encrypted.
When a CA certifies a certificate, there are three levels of certification leading to three types of certificate:
The process involves generating an SSL certificate and other digital files which support it, submitting it to a CA, and putting the verified SSL certificate on the web server that hosts your site.
Many CAs can create and certify SSL certificates for you. Among the most popular CAs are:
You can compare prices and buy SSL Certificates from all of these CAs through the SSL Store.
To get an idea of the time and cost involved, Thawte offer an EV certificate for about £100 per year, with a turnaround time of about three days.
Many charities use a web platform such as WordPress or a web hosting company to host their website. The good news is that many of these organisations can arrange for SSL certificates to be created and installed for you.
Other hosting organisations have automated the process. You may be able to log in to your web hosting account and choose an option to add SSL certificates through the popular cPanel, Plesk, or some other control panel. This will take you step-by-step through the process of uploading a certificate and other files to your website.
Usually encryption involves the use of a single key. You use the key to encrypt the message and you need the same key to decrypt it. This is known as symmetric key encryption.
But there is another type of encryption that uses a pair of keys. If you use the first key to encrypt a message, you need to use the second key to decrypt it. Similarly if you use the second key to encrypt it, you need to use the first key to decrypt it.
Let’s call the first key the private key, and the second key the public key. The private key you keep secret so that only you know it, but you let anyone who wants it know your public key. You can publish your public key on your website, and include it in your email signature if you want. And, crucially, you can include it in your digital certificate.
So when someone visits your website, their browser can look at the digital certificate. It can check that it has been certified by a CA that it trusts so that it knows that the site is genuine, and it can also see your charity’s public key.
Now here’s the clever bit. Once the visitor has your charity’s public key it can use it to encrypt credit card details or any other information and send it over the internet.
If a hacker intercepts it they will be unable to read the information because it is encrypted. Your private key is needed to decrypt a message which has been encrypted with your charity’s public key, and only you have that.
Remember how we mentioned earlier that a message encrypted with one key can only be decrypted with the other key in the key pair? That means that a message encrypted with the private key can only be decrypted with the public key.
But what use is that? Since the public key is publicly available, that means anyone could decrypt a message which has been encrypted with the private key.
In fact this can be very useful, as a way of providing a digital signature. If you encrypt a message using your private key, then anyone who decrypts the message with your public key can be certain that the message came from you.
That’s because they would not have been able to decrypt the message with your public key if it hadn’t been encrypted with your private key. So it must have come from you. (This of course assumes that you have indeed kept your private key private and prevented anyone else from accessing it.)
This digital signing capability is important for SSL certificates because when your certificate is verified by a CA, they sign it by encrypting it with their private key. Alongside browsers’ and operating systems’ list of trusted CAs they also store those CA’s public keys. This allows your browser to check the signatures to ensure that a certificate really was certified by the CA that purports to have signed it.