Internet is filled with all types of information, thus security has become one of the key components to consider. Due to this, majority of the websites on the internet are recommended to provide security for their visitors.
This is where SSL certification comes into play!
It is recommended that all websites living on the internet have an SSL certification. Nowadays, the majority of web browsers show on the URL bar a ‘not secure’ sign for the sites without an SSL.
Bottom line is, if you want your website to be legit and trustworthy, you need an SSL. Specifically, if your website sells some products/services or stores user data, an SSL certification is a must.
An SSL has the capacity to protect you and your user’s data. Not only that, but it also has a big effect when it comes to ranking well on Google.
But what is an SSL certification and which one will work with your website? We will go through the different types of SSL certifications so that you will be able to pick the one that suits you best.
In this article we will explain:
- What is an SSL Certification?
- History of SSL
- How does SSL work?
- How to identify SSL
- Different types of SSL and
- Advantages of having an SSL
Let the journey begin!
What is an SSL?
SSL, short for Secure Socket Layer, is a cryptographic protocol that was designed to provide security over computer networks. These are small data files that bind a cryptographic key to a company’s credentials.
However, SSL is no longer being used but instead its successor TLS – Transport Layer Security is.
Even though SSL is outdated, we still use the term ‘SSL’ to provide TLS certifications, because it’s commonly unknown that TLS is the successor of SSL. In order to remove the confusion, TLS is depicted as SSL.
This security protocol is used in many applications such as:
- Web browsing
- Instant messaging
- Voice over IP (VoIP)
Having an SSL certification has become one of the most important factors for websites on the internet due to security measures. In short: when a website gets an SSL certificate, all the communications between their servers and the users are secured.
The primary goal of the TLS protocol is to provide privacy and to keep the data accurate and consistent between two (or more) computers. So when secured by the TLS protocol the connection between the server (monovm.com) and the client (Google Chrome, Firefox) should have at least one of the following properties:
- The connection is secured due to the use of symmetric cryptography which encrypts the transmitted data. Don’t be alarmed, we will go through this later on the article.
- The identity of the communicators is authenticated using public-key cryptography. This is optional but is generally used from the server-side (monovm.com)
- The connection is reliable because each message transmitted includes a message integrity check which prevents undetected or alteration of data during the transmission.
- A configured TLS provides forward secrecy which ensures that any encryption keys put out in the future will not be used to decrypt any TLS communications from the past.
There are many methods that are used in exchanging keys, encrypting data, and authenticating the message integrity. The collaboration of them makes its way to provide a secure connection.
History of SSL
The current version of the SSL certification protocol is TLS 1.3. TLS was first introduced in 1999 which builds on the earlier SSL specifications.
The transport layer security protocol dates back to 1986 and it has grown extensively through the years. SSL came into play in 1995 which was developed by Netscape.
Initially, SSL 1.0 was created but wasn’t available for the public due to security measures, then an improved version SSL 2.0 was released in 1995. After a year in 1996, SSL 3.0 was introduced with a complete redesign of the protocol.
However, SSL 2.0 and SSL 3.0 were deprecated in 2011 and 2015 due to the security issues.
The next protocol was TLS 1.0 which was introduced in 1999 and followed by other versions:
- TLS 1.0 (1999)
- TLS 1.1 (2006)
- TLS 1.2 (2008)
- TLS 1.3(2018)
With time, the protocol developed, and with each new version, the security became stronger and better. The encryptions that have been used were updated so much that it’s extremely difficult to crack it by brute force attacks.
How an SSL Work
In a nutshell, the SSL will encrypt and decrypt data going to and from your website. The picture below taken from Neil Patel's website gives a clear idea.
Let’s talk about the algorithms that are being used to make this happen. SSL certification makes use of cryptographic technologies like asymmetric and symmetric algorithms, hashes digital signatures, and message authentication.
Let’s dive deep into some of these encryption methods to have an idea of how this actually works.
Symmetric key algorithm
Symmetric key algorithm is a cryptography technology where a single key is used to encrypt and decrypt text. For this to work, both sender and receiver have to have the same secret key.
The keys are identical or there might be a slight difference between the two keys. Because of this, only the receiver and sender will be able to encrypt and decrypt the messages going to and from them.
The algorithms being used in symmetric encryption are:
- Data Encryption Standard (DES)
- Triple-DES (3DES)
- Advanced Encryption Standard (AES)
However, giving both parties access to the secret key is one of the main disadvantages of this system when comparing to public-key encryption (asymmetric encryption).
Public key algorithm (Asymmetric key algorithm)
This method of encryption came into existence in order to tackle the problems with symmetric key algorithm. Without having both parties accessing the same secret key, this system makes use of a public key and a private key.
Instead of having one key (symmetric), now they take 2 keys into consideration.
If you encrypt a message with a private key you will need the public key to decrypt it.
If you encrypt a message with a public key you will need the private key to decrypt it.
It is not possible to encrypt and decrypt messages with the same key in this situation. The public keys are available to everyone while the private keys are known only by the owner. These are generated by using complex mathematical problems that produce one-way functions.
This system means that effective security can be maintained by keeping the private key safe while distributing the public key which won’t compromise the security.
This algorithm is a fundamental security ingredient in modern security systems that assures the confidentiality, authenticity, and non-repudiation of electronic communications.
The main algorithms being used for public-key algorithm are:
- Rivest-Shamir-Adleman (RSA)
- Elliptic curve cryptosystem (ECC)
- Diffie-Hellman (DH)
- El Gamal
Message Authentication code
For the SSL to function, it uses a message authentication code (MAC) which is sometimes called a tag. This is a short piece of information used to authenticate a message which means it checks if the message has come from the sender and hasn’t been changed.
The MAC value protects both the integrity and authenticity of the message.
The above image shows how the MAC is being used. When a message is sent from the sender, a MAC key is generated using a key (in this illustration it's key (k)). Then the message is sent with the authentication code attached to it.
The receiver then runs the MAC algorithm using the same key (key (k)) and compares the two authentication codes. If it’s correct that means the message is authentic and hasn’t been tampered with.
Forward secrecy is a special feature of specific key agreement protocols that assures keys will not be compromised even if the private key is compromised. This protects past sessions against the future compromises of secret keys.
Basically a new key is generated for each and every session a user initiates to connect with the website. So even if a key is compromised it will not affect any future or past sessions.
When using forward secrecy, the encrypted communication sessions either from past or future cannot be decrypted even if the hacker is actively interfering with the communications (like a man in the middle attack).
With a combination of all the types mentioned here other methods, having an SSL/TLS certification protects your data and privacy. It’s like having an impenetrable armor on you.
How to identify an SSL certification?
Well, before figuring out how an SSL affects your website, this is how a website is displayed by web browsers if it doesn’t have an SSL certification.
The first thing that you will notice is ‘not secure’ in the address bar and that might make visitors want to leave the site. So it’s highly recommended to have an SSL certification because it will not only get rid of the ‘not secure’ sign but also secure the data.
Alright so back to other visual cues:
The first cue is on the address bar. The website's prefix will be https://. Here the additional ‘s’ simply means secure.
In the address bar, you will see a big indication of safety, the presence of a padlock before the web address. This assures that the connection is encrypted and secured.
This assures that the data sent to and from the server and the user will be private and encrypted.
The Extended Validation SSL Certification (we will talk more about it below), when used on a website, will display the company name in the address bar. This is the most secure form of certification proving to customers that it’s 100% legitimate.
As you can see here, there are a couple of visual cues that you can see and each of these certifications is different.
So what are the different types of SSL certifications?
1. Domain Validation SSL certifications
Domain Validation SSL certificates show that the domain is registered and the website is run by a site administrator. This certificate can be validated by an email, DNS, or HTTP.
When validating via an email, the SSL certificate authority will send an email to the owner of the site and the site owner will request the certificate.
Note that Domain validated certifications provide encryption only. To get one you just have to prove the ownership of the site and you can get this in a couple of minutes.
These types of SSL certificates are cheaper than the other options, however, there are some downsides.
They are not as secure as the other options. Since the verification is only based on the ownership of the domain, a hacker can easily get an SSL. If a potential customer comes to your site, they might hesitate to provide the payment information due to this.
2. Organization Validation SSL certifications
These types of certificates are similar to getting a DV certificate but with an extra step. In this case, you will verify that you’re the owner of the website and also have to verify that you own an organization.
You will need to provide information that proves you’re the owner of the organization in this country, state and city. The extra step is to provide the organization details. To get the certificate, it will take a couple of hours to a couple of days.
Here’s an example of an OV SSL certificate.
As you can see here, the organization is validated with domain validation.
3. Extended Validation SSL certification
This is the most secure certification available out there. In order to acquire this certification, you will need to provide a lot more records to prove the ownership of the company.
This certification provides the same validation as DV and OV certificates, however it also proves that you have legally registered your company as a business.
The validation process takes days or weeks to process the information depending on the certificate authority’s requirements.
These are granted to companies only if they can prove:
- The operational existence
- Location of the company
Due to the number of documents needed for this certificate this is the most secure type of SSL when it comes to validation levels.
4. Wildcard SSL certification
When getting an SSL certificate you have to provide a list of subdomains that are also secured. If you use the certificate for a subdomain that isn’t on the list, the ‘not secure’ warning will come.
In order to grasp the idea of wildcard SSL we should first know what single-name SSL is.
Single-name SSL certificates (as the name says) protects one subdomain. Let me give an example:
If you purchase a certificate for www.dog.com it will not apply to account.dog.com
So with a wildcard SSL certification, the above problem is solved. Assume you bought a wildcard SSL for www.site.com, then it will also secure example.site.com
5. SAN SSL certification
SAN (Subject Alternative Name) SSL is another term used for multi-domain SSL. This type of certification lets the site owner secure multiple domains and subdomains under a single certificate.
With multi-domain SSL certificates, you can combine many different hostnames, regardless of whether they are from the same domain or not.
Again, the best way to explain this is through an example. Imagine you have the following domains:
With just one SAN SSL certificate all these websites will be secured.
Advantages of having an SSL
There are many advantages of having an SSL and the biggest part is that all the data coming to and from the site is encrypted. This means that all the card details, usernames, and data given to a site are safe from hackers.
Another pillar of having an SSL shows that the site is verified. It proves that the site is legitimate and not a fake one. Many people fall for scams (like phishing scams) where they provide information to fake sites.
Another compelling reason would be that Google likes https sites and therefore the sites equipped with an SSL are ranked better.
Don’t believe us? Well search for anything on Google and check the first page of results. All sites will have an SSL.
That’s all folks! Let us know what you think in the comments below.