Skip to main content
  • Cybersecurity

Website security and SSL certificates: Q&A with Matt Larose

A Q&A with CIRA's Matt Larose, our in-house expert on SSL certificates.
By Erin Hutchison
Content Marketing and Social Media Specialist

A Q&A with CIRA’s Matt Larose, our in-house expert on SSL certificates.

As we all know (or you should by now) having a website for your business, project or personal brand is essential. However, much like any other property you might own, you can’t just leave the door unlocked and walk away. With the upcoming changes that Google Chrome is making to the way secure websites are identified, now is the time to learn more about SSL certificates. A Secure Sockets Layer (SSL) certificate authenticates the identity of a website and allows secure connections from a web server to a browser by encrypting information such as passwords. If you still don’t have one for your website, we recently wrote about the reasons why you need an SSL certificate and how to get one.

I sat down with Matt Larose, CIRA’s senior systems administrator and in-house expert on SSL certificates, to get some further insight on their importance and some more detailed advice on how to get one for your website.

Is an SSL certificate worth the cost?

The cost can seem high, but it’s much easier to start with a secure website than to retrofit it later. Also, there are free options available. When in doubt, start there.

Is there any downside to getting a free SSL certificate or is it better to pay for one?

It’s a matter of trust, and it depends on the profile of your users. If you’re running a personal website or a small/medium business website which doesn’t handle e-commerce, you can totally trust a free certificate.

A bank or large e-commerce site should use an Extended Validation Certificate (not available for free). Many major websites and banks still use OV certificates, but should be using EV certificates as they offer enhanced trust in the user that the site they are connecting to is the one they expect.

Even if you don’t collect personal information on your website, do you still need an SSL certificate?

First, don’t be so sure your website doesn’t collect personal information, even an email address or a social login counts. Second, an SSL certificate is as much about trust as it is about security. If a user sees in their browser that your site is “not secure” that’s going to impact your page views and traffic. SSL Encryption is rapidly becoming the expected standard, and the changes made by Google in its Chrome browser reflect this. Moving to an encrypted website now positions you well for the future when encryption may be mandated by web browsers or other technological changes.

Is the process a one-time set-up, or do SSL certificates expire?

SSL Certificates expire on a configurable time, and should be monitored and renewed when required. The renewal time can be as little as a few days to up to two years. This two-year limit is a new change, and certificates issued prior to March 1st, 2018 may have longer validity periods.

Some more advanced implementations such as LetsEncrypt force a renewal every 30 days, but also include facilities to renew and redeploy these certificates automatically.

Do you see Chrome’s upcoming change as a ‘good thing’ for the internet?

Absolutely it’s a good thing. Why? Because it makes sure the websites you’re going to can be trusted. It increases security for everybody using the internet.

About the author
Erin Hutchison

Erin brings to CIRA a background of marketing experience in higher education and the not-for-profit sector. In 2015, she participated in ISOC’s Youth@IGF Programme and traveled to Guadalajara, Mexico to attend the IGF. She has a Bachelor of International Business from Carleton University.