An often asked question is “Do I Need SSL?”.
Customers want to know that you value their security and are serious about protecting their information. More and more customers are becoming savvy online shoppers and reward the brands that they trust with increased business.
What is SSL
SSL stands for SECURE SOCKET LAYER.
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. These files are supplied by a “CA” – (Certificate Authority). Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.
SSL certificates help protect web users in two ways. First, SSL encrypts sensitive information such as usernames, passwords, or credit card numbers. Second, SSL certificates verify the identity of websites.
It assures customers that a website is legitimate and that the online business running the site is a real licensed business.
All browsers have the capability to interact with secured web servers using the SSL protocol. However, the browser and the server need the SSL Certificate to be able to establish a secure connection.
Once an SSL cert is installed, it is possible to connect the website to the internet over https which tells the server to establish a secure connection with the browser. It encrypts the information being sent from the website.
Anyone can create a certificate, but browsers only trust certificates that come from an organization on their list of trusted CA s. Browsers come with a pre-installed list of trusted CA s known as the Trusted Root CA store. In order to be added to the Trusted Root CA store and become a Certificate Authority, a company must comply with and be audited against security and authentication standards established by the browsers.
There are some super-cheap SSL certificates where the root certificate itself is owned by someone other than a recognized certificate authority. These can often be had for around $5 or so, but while they will permit SSL to function perfectly well, visitors making SSL connections to sites using this type of certificate will see a warning message from their browser stating that the certificate has been issued by an unrecognized authority. Warnings look something like this….
It may not be safe to exchange information with this site
The security (or SSL) certificate for this website indicates that the organization operating it may not have undergone trusted third-party validation that it is a legitimate business.
Information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your information and if this information is sent from a website not encrypted with SSL, hackers can easily intercept that information. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves. Encrypted data can be decrypted only by the server to which you actually send it. This is a warranty that information you submit to websites will not be stolen.
Web browsers give visual cues, such as a lock icon or a green bar, to make sure visitors know when their connection is secured. Knowledgeable visitors will trust your website more when they see these cues and will be more likely to buy from you. SSL providers will also give you a trust seal which is more visible and can be placed on a website which will instill more trust for your customers.
An organization needs to install the SSL Certificate onto its web server to initiate secure sessions with browsers.
If your site collects credit card information you are required by the Payment Card Industry (PCI) to have an SSL Certificate. If your site has a login section or sends/receives other private information (street address, phone number, health records, etc.), you should concider using SSL Certificates to protect that data as well.
Google stated “we called for “HTTPS everywhere” on the web. They have since started giving some additional weight to sites with SSL installed.
Types of SSL
There are 4 types of SSL certificates:
- Self Signed
These can be obtained free . Some CA s offer them for a price. Use only in closed environments where all the parties know and trust each other.
When you use a self-signed certificate, you are saying to your customers “trust me – I am who I say I am.” When you use a certificate signed by a CA, you are saying, “Trust me – the CA agrees I am who I say I am.”
May not be recognized by Browsers and therefore maythrow “Warning” signs.
- Domain Validation (DV) SSL Certificates:
This is where the CA checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.
Cheap, quick and easy to get. By maintaining a human element in the validation process, it is more likely that fraudulent or phishing related activity will be detected.
1. Low-assurance. (No green lock or green address bar)
2. The minimal requirements of domain validation can be completely automated, making DV certificates far easier for the SSL vendor to process. Domain validation does not assert that the certificate has anything to do with Some Company.
3. While DV certificates verify the consent of a domain owner, they make no attempt to verify who the domain owner really is. The manner in which domain validation is carried out makes this kind of certificate ideal for both phishing and man in the middle attacks.
- Organization Validation (OV) SSL Certificates:
This is where the CA checks the right of the applicant to use a specific domain name PLUS it conducts some vetting of the organization. Additional vetted company information is displayed to customers when clicking on the Secure Site Seal, giving enhanced visibility into who is behind the website and adds enhanced trust to visitors .
Mid-level assurance: organizational details are included in the certificate.
No green bar. (Just the green lock icon)
- Extended Validation (EV) SSL Certificates:
This is where the (CA) checks the right of the applicant to use a specific domain name PLUS it conducts a THOROUGH vetting of the organization. Different CAs currently employ different types or levels of authentication when using non EV certificates, creating Internet security vulnerabilities that have been exploited for identity theft, fraud, and other online crimes
Steps required for a CA before issuing a certificate, include:
- Verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate.
Verifying that the identity of the entity matches official records.
Verifying that the entity has properly authorized the issuance of the EV SSL Certificate.
A second set of guidelines, the EV Audit Guidelines, specify the criteria under which a Certificate Authority needs to be successfully audited before issuing Extended Validation (EV) SSL Certificates. Yearly audits are performed to ensure the integrity of the issuance process.
High-assurance. Green bar feature. (Not just the green lock symbol)
Validation process is more lengthy and complete and takes a few days to complete.
Types of Certificates
1. Single Domain Certificates:
Single domain certificates are the most common, and they cover a single domain or sub-domain such as https://www.domain.com or https://subdomain.domain.com.
Easy to get, easy to install, low cost.
Secures only a single domain per certificate.
2. Multi-Domain Certificates (Also known as UCC)
Multi-domain certificates (Also known as SHARED certificates) protect up to 210 domains (minimum 3) within a single SSL certificate (hosted on 1 server).
Secure multiple websites by including up to 100 domains within a single certificate. Allows for a much lower cost to site owners. They have an Extended Validation option.
- If there is a problem with the certificate, all domains that use it won’t be able to function properly.
- In order to use the shared SSL certificate without warnings, you would have to use the secure server name in the URL (for example, secure123.websitewelcome.com) plus your username. ie: https://secure123.hostgator.com/~bill/
- Please be aware that any other or secondary domains will be listed in the UCC SSL certificate as well. If you do not want domains or sites to appear related to each other via the ssl certificate details, then this is something that you should factor in when ordering a multi domain ssl certificate.
- You have to keep meticulous records that show exactly where your wildcard private key is installed, so that when you have to replace it, you don’t have to play “Where is Waldo” across all your sites.
3. Wildcard Certificates
Wildcard certificates protect your primary domain and all your sub-domains (If you have them) ( domain.com and any/all subdomain.domain.com associated with it, it can be used on multiple servers).
Secure an unlimited number of first-level sub-domains on a single domain name.
Don’t have an Extended Validation option.
No Technical Difference
Here’s a quote form the StackExchange forum:
On the technical side the expensive SSL Certificates offer dynamic seal which means a dynamic image displayed on a website that shows the current time and date of when the web page was loaded which indicates that the seal is valid for the domain it is installed on and is current and not expired. When the image is clicked, it will display information from the Certificate Authority about the website’s profile which validates the web site’s legitimacy. This will give visitors of the website increased confidence in the site’s security.
A Static Seal is simply an static graphic image that can be placed on the website to indicate where the digital certificate was obtained from, however there is no click-through validation of the website and the image does not show the current time and date.
Also if you are buying more expensive SSL you will get more money in fraud warranty for your visitors, but only in case if the Authority issued a certificate to a fraudster and a visitor lost their money believing the website is legit. If you are not a fraudster there is no reason you should go for expensive certificate unless you want to show green address bar and increase the confidence in your visitors.
Technically there is no other difference.
And here’s a partial quote from wikipedia;
Certificates issued by a CA under the EV guidelines are not structurally different from other certificates (and hence provide no stronger cryptography than other, cheaper certificates)…
This insurance is to cover the end user to the site, not the site owner.
One of the differences in price of SSL s comes from the amount of insurance the CA is offering. Some CA s don’t offer insurance and others insure as high as $1,750,000.
If a CA were to mis-issue a certificate to a fraudulent site and an end user loses money because the SSL linked to that fraudulent site, the end user would of had what they thought was a “trusted session”. The CA should never have provided the fraudster with the ability to perpetrate a fraud, so the CA therefore has insurance to pay the end user for any losses that they may incur.
The encryption process is the same no mater which type or how many domains it covers. So the difference comes down to how much company /owner/domain/website verification is done, how many url s you want to cover, whether you want to provide your customers with insurance and then how credentials are displayed to consumers on your website.
e-commerce sites that collect credit card information on there site are required to have SSL
If you want to show more love to your customers, SSL can be used to encrypt other personal identifiable information as well.
In order to show customers arriving at your site that your site is encrypted, you’ll need to buy an OV or EV SSL in order to show the green lock or green in the address bar at the top of your website.
While most web-hosting companies charge extra to get the green “Lock” in the address bar, the company I use now gives free ssl with every plan.
(See the green “Lock” in the address bar at the top of this page!)