What is an SSL Certificate & Why Do You Need One?
Last Updated on May 26, 2021 by Georgie Peru
What is an SSL Certificate?
Do you remember Netscape? If you’ve been around the tech space since the 90’s, then you might remember Google’s humble predecessor – Netscape, the creator of the original SSL Protocol.
Netscape released the first SSL (Secure Socket Layer) certificates in 1995. As the name suggests, SSL certificates are used to make internet transactions more secure. Without this extra security layer the internet is like an unprotected safe that anyone can access. Cyber security is essential for keeping online transactions safe and to protect your data against threats.
When people talk about SSL certificates they are normally referring to Transport Layer Security (TLS), the protocol that is now used to keep us safe online.
How do SSL Certificates Work?
An SSL certificate is a code that is used to encrypt the data traveling from a server to a browser. The server sends the key and if accepted the data that is sent is protected by encryption. Basically that means that all of the digits sent over a secure (SSL) connection are jumbled in a way that only a computer can understand. Making the data transfer hard, if not impossible to make sense of.
Initially his type of security was only used with logins and shopping carts, before being adopted more widely as people became aware of cyber threats and the requirement for data sent over the web to be secure.
What is the Difference between TLS and SSL?
TLS has evolved by building on the initial SSL specifications developed by Netscape. Both security methods use encryption and appear as the prefix “HTTPS” when seen in a URL.
The two parts of a TLS are as follows:-
1. TLS Handshake Layer – Performed once in a session selects encryption method (cipher) to use.
2. TLS record layer – Gathers and encrypts data prior to sending through encrypted tunnel.
TLS replaced the SSL protocol back in 1999 to make it free and available for everyone to use. Prior to this Netscape owned the SSL protocol. However, most people still refer to TLS as SSL.
SSL certificates have come a long way since their release in 1995. We are now on TLS v1.2 and the SSL protocol is being phased out. SSL certificates still work in most browsers, but they will be deprecated and replaced with TLS in the near future.
What is HTTP/ HTTPs?
Http means HyperText Transfer Protocol and is the mechanics behind sending information over the internet. “Http” appears as the suffix before a domain name (http://www.sitename.com). When there is an “s” at the end of http, for example https://www.sitename.com then the data is being sent over a secure (encrypted) tunnel. The “s” stands for secure.
An increasing amount of websites are choosing to encrypt their whole website. While previously an SSL certificate was only used to keep specific data secure. There are many reasons for companies to make this choice, not least the fact that people are becoming more aware of cybercrime and demanding website owners to use secure connections. Also there has been some whispers of Google favouring secure sites, making using an SSL certificate a good idea for search engine optimization (SEO).
Pro’s and Con’s of using an SSL/ TLS Certificates:
- Protect sensitive data such as credit card details and emails
- Keep data, whether verbal or written from being intercepted by intruders
- Stop unwanted adverts from being injected onto websites
- Increased trust from customers
- Required for PCI Compliance
- Prevents a warning that states the site is not secure, which could make customers turn away.
- Prevents Formjacking
A good SSL certificate will also provide authentication so that imposters cannot “formjack” your website. Formjacking is when a hacker creates a form that looks like it is on your site to gather payment or sensitive data. Instead of the money going to you, the hacker intercepts the transaction with their own payment form that takes payment or details.
Https is great for SEO
Google has now confirmed the correlation between HTTPS and a higher ranking on their search engines. This relationship was backed up by a study carried out by Brian Dean of Backlinko.com. In the study 1 million Google searches were analysed by Eric Van Buskirk to find out what factors meant that sites would appear on the first page of Google. Having an SSL certificate was found to help boost rankings.
Cons of SSL Certificates
Now that it is so easy to install free SSL certificates with many hosting providers, we need to decide if there are any disadvantages to installing a SSL certificate on your own website. Realistically there are not many, however there are a few very minor downsides to installing an SSL certificate on your site as follows:
- Cost – it is now easier than ever to get a free SSL certificate, however the gold standard EV certificates do come at a cost.
- Performance – Due to the extra authentication step required, SSL certificates can make websites take a bit longer to load.
- Some older browsers don’t support SSL certificates (See below)
Types of SSL Certificate
There are several types of SSL certificate to choose from. Depending on your website requirements, you’ll want to select the appropriate SSL certificate. An SSL certificate is issued by a third party security company and as well as having an added “s” in the browser bar a secure site will show a padlock next to the domain name.
Some certificates are cheap and issued immediately, whereas others like EV take 3-5 days to be activated. SSL certificates come in either 128-, 256-, or 2048-bit encryption. The rule when choosing an SSL certificate is select the highest level of encryption that you can afford.
There are three main types of SSL as follows:
1. Domain Validation (DV)
2. Organization Validation (OV)
3. Extended Validation (EV)
4. SAN/UC certs
5. Wildcard Certificates
Domain Validation (DV) – Basic
DV is an affordable SSL certificate designed for info/ non-ecommerce and test sites. DV is the cheapest of SSL certificates and is issued immediately in most cases. DV SSL certificates are normally cheap or free thanks to the Let’s Encrypt program.
Organization Validation (OV) – Good
OV is used by eCommerce stores and is issued in around about 24hrs. OV SSL certificates come with 128-, 256-, or 2048-bit encryption. As the name suggests OV is used to validate business details and is a more trusted solution when compared to DV.
Extended Validation (EV) – Premium
EV SSL certificates are used for eCommerce sites, sensitive data and increased customer trust. This is the gold standard of online trust used by banks and massive websites like Twitter. EV offers 2048-bit encryption and a green bar to reassure customers that the website is safe and their data is protected.
SAN/UC certs are used by people who have several domains that they want to secure. These multi-domain SSL certificates save time and money. They can be used on as many domains as your provider allows.
Wildcard Certificates are extremely easy to deploy and perfect if you have several subdomains on your site. Wildcard Certificates come in both DV and OV, however unfortunately there are no EV wildcards.
Where do I buy an SSL Certificate?
SSL certificates are issued by a Certificate Authority (CA) and can normally be purchased through your hosting provider. Some hosting providers offer a free SSL certificate tool called Let’s Encrypt. Let’s Encrypt was launched in 2014 to provide free DV SSL certificates.
In the future all legitimate sites will be protected at least by the basic DV SSL certificate. Let’s Encrypt made some great headway in the free SSL certificate for all websites arena and is continuing to do so. Now a newer initiative, launched in 2016 is leading the way. The new project is called Encryption Everywhere and was developed by Symantec, the leading digital security company.
What is an SSL Certificate Authority?
SSL certificates are issued digitally by a certificate authority or certification authority (CA). A CA is a trusted third party that issues certificates for a specific purpose, normally to secure connections over the World Wide Web. The most popular SSL certificate provider with 39.7% of the market share is IdenTrust, closely followed by Comodo who own 34.9% of the market share. You can normally get an SSL certificate from your hosting provider.
What SSL Certificates are not good for…
Although SSL certificates are great they can’t protect against all Identity breaches. Identity breaches are a huge issue for both businesses and consumers and 63% of breaches are due to a weak password. SSL certificates won’t protect users from weak passwords, so always ensure that you use secure passwords on your account and take measures to help your website members do so. The average cost of identity breach is a massive $3.7M.
Another instance where an SSL certificate won’t provide you with security is when the data reaches your server. To protect the data on your server you’ll need server side protection. Some servers come with built in server side encryption. If you are storing sensitive data on your server then look for a server with server side encryption that meets the Advanced Encryption Standard (AES-256).
Some Browsers Don’t Support SSL Certificates
It is important to note that some older browsers don’t support SSL certificates. This means you’re your website cannot be accessed on these older browsers. Below I have outlined some of these out dated browsers
Unsupported browsers include:
- Google Chrome (older than version 6)
- Internet (older than version 7)
- Firefox (older than version 2.0)
- Safari (older than version 2.1)
- All Internet Explorer versions on Windows XP
Unsupported mobile browsers include:
- Safari browsers ( iOS version older than 4.0)
- Android browsers ( older than 3.0 (Honeycomb)
- Windows Phone browsers ( version older than 7)
Is an SSL Certificate Free?
The great news is YES, you can get a free SSL certificate within minutes. Several domain and hosting providers offer free SSL certificates.