Secure Sockets Layer commonly referred to as SSL is a security standard for encrypting the communication between a web server and the client’s web browser. Although the term is still used in common parlance, the SSL protocol has in fact been replaced with the TLS protocol, which stands for Transport Layer Security.
Any website with an HTTPS web address uses the SSL/TLS protocol. Whenever the web browser sees a valid SSL certificate it displays a green padlock icon next to the address. This is a visual cue to the desktop user that all the communication between their browser and the web server is being conducted over an encrypted channel.
Why use SSL certificates?
Any information that is sent across the Internet passes through various intermediary computers before it reaches the destination web server. This means that any of these intermediary computers in between can access transmitted data, which could include information like usernames and passwords, and other sensitive information. SSL certificates mitigate this risk by ensuring that all information sent across the Internet is encrypted in such a manner that only the intended recipient can access it.
In fact certain websites, such as banking and payment portals are required by law to undertake certain steps before they can ask users for sensitive information. One of these requirements is to use properly validated SSL certificates.
Even if you aren’t asking users for sensitive information, it pays to use a SSL certificate. Back in 2014, Google announced that in its bid to make the web more secure, the search engine had started using HTTPS as a ranking signal. This means that sites that use a valid SSL certificate are considered better and ranked higher in the search results, making a SSL certificate effectively a basic but essential SEO tool.
What does an SSL certificate contain?
Technically speaking an SSL certificate is a data file on the web server that contains several pieces of information. The most crucial aspect of the certificate is the website’s public key.
This is accompanied by the domain name that the certificate was issued for, and details about the individual, or the organization it was issued to. The certificate also contains details about the authority that issued it along with its digital signature. Other important details include the issue date of the certificate, the duration of its validity, along with the certificate’s expiration date.
The public key (and its corresponding private key) are essentially long strings of characters that help encrypt and decrypt the data being transmitted. It’s important to note that data encrypted with the public key can only be decrypted with the private key.
When a web browser attempts to communicate with the server it’ll call upon the certificate to verify the server’s identity and then obtain its public key. It then uses it to create an encrypted channel between itself and the web server. All data transmitted over this channel can only be decrypted by the web server that has the private key.
Who issues SSLs?
SSL certificates are issued by a trusted Certificate Authority (CA). The web browsers, operating systems and these days even mobile devices maintain a list of trusted CA root certificates.
A root certificate is very valuable since any SSL certificate signed with its private key will be automatically trusted by the web browsers. Conversely, if the CA isn’t trusted, the browser will present untrusted error messages to the end user.
Companies such as DigiCert, IdenTrust, GlobalSign, and Let’s Encrypt are known as trusted Certificate Authorities. Web browsers and operating system developers such as Microsoft, Mozilla, Google, Opera, and such, trust these CAs and by extension any of the SSL certificates signed by their private keys.
Types of SSL certificates
There are a few different types of SSL certificates that can be broadly classified into three categories.
Domain-Validated (DV) certificates are the entry level certificates that cover basic encryption and verification of the ownership of the domain name registration records. This type of certificate is the cheapest and can be issued within a few minutes.
Next are the Organization-Validated (OV) certificates that in addition to basic encryption and verification also authenticate details about the owner such as their name and address. Considering the manual verification involved, it’ll take anywhere from a few hours to several days to get an OV certificate.
Finally, there are the Extended Validation (EV) certificates that are the most trusted since they also verify the physical and operational existence of the website’s owner. They follow a strict set of guidelines for the verification process, which can take several weeks.
Furthermore, all types of SSL certificate also have two variations. There’s a single domain certificate that secures one fully-qualified domain name. It is cheaper than a wildcard certificate that protects multiple sub-domains.
What is a self-signed SSL certificate?
Again, technically speaking, anyone can create their own SSL certificate by generating a public-private key pairing. These certificates are called self-signed certificates because the digital signature used isn’t from a third-party CA, but rather from the website's own private key.
While they are most convenient and can be generated instantaneously, since there's no third-party verification web browsers don't consider self-signed certificates trustworthy. This is why even though the communication is encrypted, web browsers will still mark the website as “not secure”. Most web browsers, at the very least, will make sure you understand that the website uses a self-signed certificate, before displaying the contents of the website.
How to get SSL certificates?
Thanks to their role in search engine ranking, it’s a good idea for everyone to get themselves a SSL certificate.
The first step is to determine what type of certificate you need, largely depending on the number of domains and sub-domains you need to secure. The process is a lot more crucial for companies in regulated industries such as banking, who need to make sure their SSL certificate meets the defined requirements.
There are several SSL certificate providers and depending on the type of certificate and the reputation and trust of the issuing certificate authority, the costs of SSL certificates can range from a few dollars to several hundred dollars per year.
These days however you can get one for free as well, thanks to the Let’s Encrypt CA. It was founded by EFF, Mozilla, and the University of Michigan, with Cisco and Akamai as founding sponsors.
Let's Encrypt is a non-profit CA that has been handing out SSL certificates at no charge since April 2016. Its certificates are valid for 90 days, and can be renewed anytime during this validity period. As per Let's Encrypt’s own research, its certificates have been largely adopted by cost-conscious users, which include smaller sites, such as personal blogs, and small businesses.
- Access the internet securely with the best VPN.