Couple of days ago, while deploying the corporate website, I’ve encountered the issue with HTTPS – the self-signed certificate was appearing as invalid in Chrome and it certainly did not work well for the user experience. So I had to dig deeper in this topic, keeping in mind that the HTTPS is the essential thing for the compliance with Russian federal laws that regulate the processing of personal data. The problem is that, for example, half of first googled web-sites of various web-development companies, at least in the city of Irkutsk, Russia, do not have the HTTPS, so this is potential risk for the management of these companies – any time the company can receive the paper from the prosecutor and get pretty big fines and blocking of the web-site by Roskomnadzor. Imagine what it will be for company that gets clients relying on contextual ads and organic search.
So, what do we got? We need to run the HTTPS for a corporate website of the small company with lowest possible cost that will be compliant with the law and web-browsers.
1. Confusion with the SSL certificates types. First we need to understand that there are three types Domain Validated (DV SSL), Organization Validated (OV SSL) and Extended Validation (EV SSL). DV certificates are usually used by single users, OV and EV are used by organizations. If you have a website that collects the personal data, you can get any SSL certificate, the law does not specify the actual type.
2. Installing the actual SSL certificate. Most of hosting providers allow to buy a certificate and install it right away on the hosting, however, I’ve got a corporate dedicated server, so had to do all by myself. Luckily, there is a handy service Certbot that allows to install free SSL certificates depending on the web-server and operational system selected.
Anyway, this is just one of requirements of the federal law, so please keep it in mind. Also be sure to register in the national registry of personal data operators, so Roskomnadzor will not mess up your financial plans.