Using HTTPS and SSL on Squarespace

An SSL or Secure Sockets Layer is a digital certificate used to authenticate your website's identity and enable an encrypted connection. All domains, added to your Squarespace site, are automatically protected with free SSL certificates to improve their security. It helps you protect your website from impersonating or stealing users’ information.

In this article, we’re going to study why SSL is important for your Squarespace site, how long does it take for SSL to have an effect, and also how to select SSL settings according to your needs and goals. 

Why SSL is important

Squarespace sites, as long as any others, need SSL certificates as it helps to keep user data secure, verify ownership of the website, prevent any attackers from making fake copy versions of the website and also to convey trust to users.  

If your Squarespace website asks users to sign in, enter some personal details, for example, credit card info, or view some confidential info like financial data or health benefits, it’s important to keep data confidential and secure. SSL certificates help to keep this info private and assure users that the website is safe to work with. 

Also, an SSL certificate is necessary when it comes to working with HTTPS web addresses. So, to sum up, you need the SSL for your Squarespace website to secure the following info:

  • Login credentials
  • Bank information or credit card transactions
  • Personal information such as full name, date of birth, address, phone number, etc.
  • Some legal documents and contracts
  • Proprietary info
  • Medical records

On Squarespace, SSL certificates are automatically included for:

  • Squarespace domains (registered or transferred ones)
  • Connected third-party domains
  • Subdomains
  • Built-in domains

Keep in mind that if there’s anything wrong with your domain connection, your SSL certificate won’t work. In case you’re using some third-party domain, it needs to be connected correctly. And if you’ve chosen to use a Squarespace domain, it must point to a Squarespace site.

Tip: To receive an SSL certificate, your Squarespace domain name must be 63 characters long or less. 

Enabling SSL on your Squarespace website brings a lot of benefits to you. For example, it creates trust among your audience as they see that you keep their private info secure and encrypted on your website. Also, with SSL you can prevent hackers from stealing the data your website visitors submit through your website’s forms and checkout page, including personal info. SSL can even help your website to load faster - Squarespace uses the protocol that helps to improve the speed by creating one constant connection between your browser and the server, opposed to the connection that is created every time a piece of info is required. It also helps to send and receive multiple messages simultaneously, prioritize provision to transfer more important data first, and squeeze info into smaller chunks. 

How to choose SSL settings

On Squarespace, SSL is enabled automatically and you don’t have to perform any extra actions to set it up. But if your website has more complex security requirements, you may have to change some settings. 

To choose an appropriate SSL setting, follow this guide:

  1. Go to Home Menu, click Settings and then click Advanced. If it's a parking page on a Squarespace site, then click SSL in the main menu.
  2. Click SSL. 
  3. Find the Security Preference section and then choose your settings. Squarespace recommends checking Secure and HSTS Secure. There might some special situations occur when you’re going to need the Insecure option.
  4. Save your changes.

It might take up to 72 hours for the updates to be completed and your SSL certificate will have the status processing. And if you’re using a third-party domain that is not connected yet, it may even take longer. While your SSL certificate is in status processing, you may sometimes see an error message with a red ! in the domain settings section. Don’t worry - it’s normal. But if the status stays there after the processing is over, then it might be a sign that something went wrong.

Also, you can’t disable SSL on your Squarespace website once it’s enabled as it keeps your website secure and provides the best possible experience for your audience. However, you are free to turn on the Insecure setting so visitors could use the HTTP version of your site even with the SSL enabled.

What does SSL connection error mean

SSL connection is quite common and happens on lots of websites. It can be caused by multiple factors. Sometimes, the problem occurs on the server hosting your Squarespace website. In other cases the problem happens on the user’s end.

Among the most popular reasons SSL connection error might occur:

  • You’re having a browser problem.
  • There’s an antivirus program or firewall that is blocking access to your website.
  • The date and the time of the computer you’re using while trying to access the website are incorrect.
  • The SSL certificate is untrusted.
  • Your website contains some insecure info. 
  • The SSL certificate has the wrong information.

The good news here is that SSL errors tend to be temporary. Also, this error is not necessarily specific to a website or browser either. It can be found both on Chrome and Mozilla browsers. 

How to check your Squarespace SSL certificate

If you want to check if your SSL certificate is protecting your page, then look for a URL beginning with https:// and a closed padlock icon next to it. Domain’s SSL details can be viewed within most browsers, including the information about the issuing certificate authority and how long this certificate will stay valid. 

Technical info

Here’s a portion of technical information concerning the Squarespace’s SSL certificates:

  • Let's Encrypt is Squarespace's certificate authority partner for providing SSL certificates.
  • 2048-bit SSL encryption on all pages except checkout.
  • TLS version 1.2 for all HTTPS connections.
  • HTTP Public Key Pinning (HPKP) is not supported at the moment.
  • You don't need a Certificate Signing Request (CSR) to get an SSL certificate, Squarespace issues certificates automatically.

About third-party SSL providers

Squarespace does not support third-party SSL certificates. So, if you’re using some third-party certificate like CloudFlare, you can switch to Squarespace. To start using Squarespace SSL, disconnect your domain from your SSL provider and connect it from your domain provider or transfer it to Squarespace. The certificate will be generated and get the status processing as soon as your domain is fully connected and using Squarespace DNS records. 

Keep in mind that your Squarespace website’s existing HTTPS traffic will be unavailable while your DNS changes are performed. 

What’s the difference between HTTP and HTTPS 

As soon as you enable the SSL certificate for your Squarespace website, your visitors will be redirected to the HTTPS version of your website. Even if they type HTTP in their browser.

HTTP stands for HyperText Transfer Protocol while HTTPS is HyperText Transfer Protocol Secure. They both help users transfer and receive info on the web. But HTTPS is especially important for those sites that work with sensitive and secure information. These are ecommerce websites where users can submit their billing info, phone numbers and credit cards data. HTTPS works with the protocol known as Transport Layer Security (TLS), previously called Secure Sockets Layer (SSL), to encrypt users’ data.

HTTPS grants security by generating short-term session keys, or encryption codes for the data transfers between users and the Squarespace website’s server for those Squarespace sites that enabled the SSL. Security keys are certified by a certificate authority - Comodo or Symantec.

Originally, HTTPS was used for ecommerce transactions, emails and other private info transfers. But now it has become standard for all websites, also serving as a ranking signal endorsed by Google itself. So it is required that your website has the SSL certificate and is transferred to HTTPS if it hasn’t already.

How to redirect from HTTP to HTTPS

The common scenario for all websites looks like this:

  1. Choose an SSL certificate for your website.
  2. Notify Google about your new protocol.
  3. Update all internal links on your website.

Remembering that SSL certificates and the HTTPS version as well are automatically enabled for Squarespace sites, proceed to the next steps.

As Google consideres HTTP and HTTPS version of your website as two different websites, it’s important that you inform it about the new redirect and getting the SSL certificate and secure status of your website. And of course you need to be sure that your website audience is directed to the right version of your website when accessing it.

So don’t forget to make sure that the same email address is used here that you use for your Google Analytics account to guarantee the ownership of your domain is confirmed. Remember that this transfer may take a few days.

As soon as the redirect is sorted, it’s time to check that all your internal links have HTTPS URLs and continue working with no problems. To make sure everything’s fine you can make use of some site crawler tool to scan for any problematic links. 

Mixed content and SSL warnings

Some pages of your Squarespace website may include mixed content meaning that the page itself loads with secure HTTPS protocol while some content loads over an insecure HTTP connection although your website’s got the SSL certificate. This insecure on your secure website content may come from:

  • Integrations
  • Custom code embedded
  • Code-based customizations

If you choose to enable the secure settings with the SSL certificate, your Squarespace website visitors may see browser warnings when they open your page. To avoid this issue, use the Insecure SSL setting. You might also consider getting rid of custom code if you don’t need it anymore. 

What is SSL 3.0

SSL 3.0 is an encryption standard that helped to secure traffic by means of the HTTPS technique. To be short, it’s a flaw that can be used by attackers on your website to decrypt data, including authentication cookies, based on Microsoft. SSL 3.0 has been considered insecure since 2014 due to its vulnerability to assaults. It was deprecated in June 2015.