SSL stands for Secure Sockets Layer, which is the standard technology used across the internet to keep sensitive data protected while on transit. This prevents malicious individuals from intercepting, reading or modifying the information transferred.
When information is being transported between systems, (in this case between servers or between client applications like browsers and websites) it may include personal details, banking credentials, credit card numbers or other sensitive data.
This information needs to be secured as it traverses the internet to make it impossible for hackers and others to read it. This is achieved through encryption of the data using advanced algorithms that scramble it into a form that cannot be read.
The technology used in SSL involves two keys (long strings of random numbers). The Public key is only known to the server and it’s the one that encrypts all the information. This information can only be unlocked by the browser using the private key. A hacker who for example, intercepts the encrypted information, will only see scrambled data that is not understandable.
Transport Layer Security (TLS) is an updated, more secure version of SSL. The term SSL can therefore be used interchangeably with TLS.
What is an SSL Certificate?
When a website encrypts data using SSL, the data being transmitted from a user’s computer to the website is secure from prying eyes. This is shown by the appearance of HTTPS (Hypertext Transfer Protocol Secure) in the URL.
An SSL certificate is a digital certificate confirming that a website is encrypting all the information being exchanged between a user’s computer and the website to make it secure and unreadable to hackers and other third parties. It may also show that the website owner is a verified entity that has gone through several identity checks.
Clicking on the lock symbol on the browser bar of a website secured by an SSL certificate will reveal details of the certificate such as the issuing authority and the corporate name of the website owner.
Although the SSL certificate is installed on the server side, ordinary browser users are able to tell if a website is protected by SSL. Users will notice https:// (“s” stand for “secure”) at the start of the web address rather than the normal http://. Further, the presence of a padlock icon or a green address bar indicates a secure connection depending on the validation level of the certificate issued.
Understanding Private and Public Keys
A website that has installed an SSL certificate digitally connects all information to a cryptographic key. An SSL certificate contains several important components that determine how users and systems interact with each other. The key components are:
- The name of the certificate holder
- The issuing authority
- expiration date
- The certificate holder’s public key
The public key is the component that ensures the information travelling from the website to the user is safe from prying eyes.
Every time a user types a website’s url in a bowser, it sends a signal to the server that hosts the website asking for permission to connect. If the website is secured with an SSL certificate, the server will send a public key to your browser.
The browser will then create what is known as a session key and send it to the server (this session key is encrypted using the public key that was sent earlier).
The server will then use the public key to decrypt the session key and obtain a symmetric session key. The symmetric session key is only known to the browser and the server. The two can therefore communicate on this secure channel they have created. When a user terminates this connection, a new session key will be generated for the next visit. This makes it difficult for anyone trying to intercept this communication because they do not have the session key.
An SSL certificate is critical in the creation of a secure channel of communication between users and the sites they visit.
Identifying SSL Certified Sites
A website that has an SSL certificate will always display a padlock and https:// at the start of the web address as shown below:
A website that has obtained extended organizational validation (see section on Types of SSL Certificates) will display a green bar in addition to the lock icon and https://.
However, the displaying of a lock and https:// are not enough for a user to trust a connection. It is important for users to look out for various signals that may alert them that despite the visuals above, the connection could be compromised.
The table below shows what users should look out for:
|The website uses SSL but there is some content which is insecure. This means that an attacker can take advantage of the vulnerability to manipulate the site. Take caution when entering sensitive information|
|The website uses SSL but there is some high risk content which poses great danger. It could also indicate an issue with the site’s certificate. The connection is likely to be compromised and you should not enter any sensitive information.|
|The site is not using an SSL connection. You should avoid entering personal information or other sensitive data on such a site.|
|The site uses SSL correctly and the connection is secure. You can enter sensitive information on the website by making sure you are connected to the right domain.|
|The site uses Extended Validation SSL certificate hence the connection is secure and highly trustworthy. You can enter sensitive information on the website without worry.|
The same way websites are created to work on all browsing platforms, SSL encryption from reputable Certificate Authorities is designed to work with all browsers (at least 99%). It’s therefore up to the browser to determine if an SSL connection and the certificate can be trusted or not during the handshake process.
Google is on the forefront of helping to make web connections secure through an effort known as HTTPS everywhere.
The updated Chrome browser is able to flag any website that is using an unencrypted connection by letting users know that the site is not secure. The address bar will display a warning message cautioning users that the connection is risky.
Which Websites require SSL Certificates?
The ideal situation is for all websites to use SSL encryption and ensure any data that is transferred across the internet is secure. However, some sites do not necessarily need an SSL certificate because they do not handle sensitive information. Websites which do not have an SSL certificate will display http:// in the url bar.
The following websites call for serious consideration in implementing SSL certificates.
A website that sells products or services requires an SSL certificate to encrypt and secure payment information such as credit or debit card details, addresses and any other personal information collected.
Implementing site-wide SSL protection on an ecommerce site is important in ensuring that users are protected throughout their visit and they can trust the site with their data.
This is a no-brainer for all banking sites because they deal with money and are required to ensure that their clients’ funds are secure and their personal data is held with utmost privacy.
These websites normally require users to provide names, email addresses and other personal details when registering and to access specific features such as premium content or some subscription service.
An SSL certificate is necessary to keep the login details and other information secure from attackers.
Any website with user logins
Any website that has user logins should have an SSL certificate installed to protect the privacy of users and secure their data. Remember, data is increasingly becoming an important asset in today’s online space and hackers will spare nothing to get hold of it.
The following imperatives should be on the forefront when implementing SSL:
Install SSL encryption site-wide
There is a tendency to implement SSL on the login page only by assuming that it is the only place users enter their credentials. This can have devastating consequences for both the website owner and visitors. If a user is logged into the site and navigates to a page on the site that doesn’t utilize encryption, a hacker is more likely to have an easy way of infiltrating the system.
To achieve desired security it is advisable to implement SSL encryption on all pages of the website.
Most websites need SSL certificates as part of their security
Ecommerce websites, membership sites or email services are not the only sites that require SSL encryption. There is a misconception that malicious actors are interested in credit card information only. Even if a site doesn’t store payment information, cyber criminals may still be interested in many other forms of data they can harvest from your site.
For example, login credentials and email addresses can be used by hackers to launch credential stuffing or phishing attacks.
In credential stuffing the attacker uses the stolen credentials to “stuff” any login page of other services until a breakthrough is realized. It is a guessing game but since it is automated (and there is a likelihood a password has been reused elsewhere) hackers have been able to gain access to multiple sites through credential stuffing.
Phishing attacks on the other hand are launched by sending communication to users and pretending to be a trusted service provider.
The communication is mostly an email with instructions to enter login credentials at a fake site which is identical to a legitimate one. A link in the email leads a user to a spoofed page where one may enter sensitive information, falling victim to a scam.
Do not worry about SSL impacting site performance
There is no perceptible difference in speed between websites that are using SSL and those with insecure connections. While the data being transmitted on an SSL connection has to be encrypted, the process happens at super speeds that will not have any impact on server performance.
Browsers manufacturers have also upgraded their programs to accommodate SSL encryption at faster speeds. If there are speed issues after SSL implementation then the server may need to be upgraded to meet the demands of a more secure connection.
SSL is no panacea to overall security
An SSL encryption does not guarantee the security of your data if your server end is not properly secured. An SSL certificate ensures that data on transit is encrypted to prevent exposure to prying eyes. Your server must therefore have separate and robust systems that protect against malware and other vulnerabilities that may compromise your systems. Server software must be updated and any security patches implemented regularly to guarantee foolproof security.
Types of SSL certificates
SSL certificates vary in terms of the purpose and function they are used for. We shall classify them into two broad categories – Domain coverage and Validation level certificates.
With the increase in cyber crime, it is imperative to be vigilant and understand the various types of SSL Certificates available. SSL certificates are issued by entities known as certificate authorities or CA.
Domain Coverage Certificates
These certificates protect a given number of domains or subdomains.
Single Domain SSL Certificate
This certificate is used for a single domain. This is suitable for a simple website that can be used by a small company or individual and secures all the pages on that domain. Since it only covers a single domain, such an SSL certificate can for example, secure yourname.com but cannot be used to secure mail.yourname.com.
Multi-Domain SSL Certificate
This certificate allows the user to secure multiple websites with different names. It can cover upto 100 different domains. This is suitable for managing a large number of websites under one portfolio, which not only saves on cost but makes it easy to track expiration dates compared to having a certificate for each domain.
This certificate also makes it easy to add or remove domains at any given time.
Wildcard SSL Certificate
This certificate allows a user to secure one domain name and all associated first level subdomains under it. For example, when yourname.com is secured all the subdomains under it (*.yourname.com such as me.yourname.com, mail.yourname.com and so on) will also be protected. It essentially secures any subdomain that replaces the wildcard character (*).
Validation Level Certificates
These certificates are issued to organizations that have undergone a process of verifying their identity. This process is conducted by the CA.
Domain Validated SSL Certificate
This is a certificate issued after the CA verifies that the applying organization has control over that particular domain.
This is done through email communication where instructions will be issued by the CA for a task to be executed. The process may take a few minutes or hours to complete.
For example, the organization can be asked to upload a document supplied by the CA to the domain or to make specific changes to a DNS record.
If the organization can prove that it has control over the domain by successfully executing the task, a Domain Validated SSL certificate will be issued.
This process may last a few days before a certificate is issued. This certificate is visualized as a secure https connection in a browser with the company information displayed in the certificate details.
Extended Validation SSL Certificate
This certificate is issued after an extensive process that may last a few days (7 – 10 days) and is more costly.
The CA conducts a more thorough investigation that involves validation of the organization’s ownership, operations, legal structure, physical location and other details that may require relevant documentation.
The organization will also be required to show proof that it actually applied for the validation by providing documentation
The extended validation certificate is visualized in the browser as a secure https connection with a green address bar containing the company’s name and location.
EV certificates are important for organizations that require high levels of trust from their customers. Implementation of EV certificates can help to deter phishing attacks and increase the number of people who trust and feel safe purchasing from the website. The strict EV validation guidelines provide greater assurance to customers by making the address bar turn green.
Self Signed SSL Certificates
A self-signed SSL certificate is a certificate created and signed by a user instead of a trusted certificate authority. Since they provide the same standard of encryption like those issued by a CA, self-signed SSL certificates can be used but only in certain circumstances.
It can be deployed on a personal website that does not involve the exchange of sensitive personal information and there is no risk of attack by hackers.
An intranet that is used locally and is not connected to the internet, or a site that is under development can also utilize a self-signed SSL certificate.
Apart from the above mentioned exceptions, self-signed SSL certificate should not be used on sites that are visited by the public because of the following disadvantages:
- While trusted certificates can be revoked, a self-signed SSL certificate cannot. If a certificate’s private key has been compromised, a revocation will enable browsers to detect that the certificate is revoked and display a security warning indicating the certificate is no longer trusted. This helps users to avoid visiting a such a vulnerable website.
- A connection on a site that uses a self-signed SSL certificate can be easily hijacked by an attacker (man in the middle) and data compromised. The attacker can set up a fake server and launch a phishing attack to grab sensitive data or simply eavesdrop on all communication to and from the server.
Such a site that uses a self-signed certificate will display a warning in browsers like the one below.
To guarantee the security of a site’s connection, it is important to use an SSL certificate issued by a trusted CA, even if it’s a free one, rather than using a self-signed one.
Shared SSL Certificate
Your web hosting company can allow you to use one of their SSL certificates for free on your site. While this may sound attractive it comes with a disadvantage.
A Shared SSL Certificate provides encryption and not authentication of your domain. This means that when you use this certificate the connection between users and your server will be secured by https.
The only drawback is that since the certificate does not belong to you, the url displayed in the address bar will be the one that belongs to your web host. Web browsers will give a security warning and this may spook your visitors.
If you have an ecommerce site, it is advisable to use paid SSL certificates and avoid shared ones to gain the trust of your customers by ensuring that when they click on the lock icon on the browser bar, the details of the certificate, including your corporate name and the issuing authority can be viewed.
How to obtain SSL certificates
It is prudent to evaluate your needs before deciding which SSL certificate to acquire. Some factors to consider include:
- The type of website – determine the needs of your website as discussed in the section on “Which Websites require SSL Certificates.”
- Budget allocation – the cost of acquiring the different certificates varies by type and CA.
- Number of domains – as we have seen, multiple domains require a different type of certificate compared to that of a single domain.
- Trust level Required – the level of trust you expect from your users can be used to choose which certificate to use in securing your site. The highest level of trust is the extended validation SSL certificate which comes at a higher cost.
Before engaging a CA, find out whether your website hosting provider offers any SSL certificates as a paid feature included in your plan. If not, then you can look for a trusted CA.
There are free SSL certificates and paid SSL certificates.
Free SSL Certificates
Some CAs and other companies provide free SSL certificates for use by anyone who wants to secure a website’s connection. One such initiative is Let’s Encrypt, which has transformed website security by offering free SSL certificates.
Paid SSL Certificates
You may require to use paid SSL certificates from a trusted CA based on your requirements. For example, running multiple sites or an ecommerce enterprise may require an EV certificate to promote trust and ensure that customers are connecting to the right website. An EV certificate displays a green bar in the browser URL and indicates the company name, which are critical for high value businesses.
Selecting the Right Certificate Authority
After deciding which type of SSL certificate you need, it is time to approach a Certificate Authority of your choice and purchase your product.
Several factors need to be considered when choosing a CA. They include Security, Price and Reliability.
SSL certificates are a guarantee of a secure communication channel that is protected against intrusion by malicious actors. Security should therefore be a priority when choosing a CA.
Find out which Certificate Authorities have a proven track record and stay alert for any security breaches affecting them. Choose a CA whose priority is the security of their system to guarantee similar attention to their service.
As mentioned earlier, you can obtain SSL certificates for free from some CAs. The free certificates offer the same level of encryption that is available with paid certificates. However, you may consider purchasing SSL certificates from any CA of your choice where you are guaranteed continuous support. Prices depend on brand or type and can vary up to a high of $2,000.
As with any product or service, you may need the assistance of a customer service department when something needs to be fixed or information clarified. Check out customer reviews and choose a CA with a good reputation and great customer support.
Leading CAs include VeriSign, Symantec, DigiCert, Comodo, GlobalSign, Network Solutions, Entrust, GeoTrust, Thawte, and Trustwave.
Installing SSL certificates
If the SSL certificate is offered by your web hosting provider, you will be provided with simple instructions on the installation process. Certificate authorities will also provide detailed instructions for installation of SSL certificate issued.
Server manufacturers have their own manuals that will guide users on how to install various features. The installation is done on the same server that the CSR (Certificate Signing Request) is generated on.
The process is simple and involves:
- Applying for the Certificate
- Buying the certificate
- Activating the certificate
- Installing the certificate
- Updating your site to start using HTTPS
Managing SSL certificates
You need to ensure that after installing the SSL certificate, it is working properly to secure your connections.
SSL certificates have a validity period. Ensure the certificate is valid and renew it in time to avoid putting your users at risk.
Importance of SSL Certificates
Let’s look at the importance of an SSL certificate to both website users and website owners.
Importance to website owners
Website owners have a lot to gain by implementing SSL encryption for their sites.
Trust and Credibility
When a website displays the lock icon and green address bar, visitors will associate that with secure encryption. This means that they are assured that the information traveling to the site is secured. This builds their trust in a site and increases overall credibility of the brand.
Websites depend on regular visitors to consume their content. A secure connection shows visitors that the site considers their privacy as a priority, which is a great way to gain their trust.
As we have mentioned, web browsers give users a visual cue on the safety of their data on a site. A lock icon with https or a green bar is a clear signal that the connection is secured and if a product or service is on sale, visitors will be more likely to buy from that site.
Browsers are now able to flag a website that doesn’t have an SSL certificate and may label it as “unsafe” or “risky.”
An SSL certificate protects your visitors from becoming victims of phishing attacks. Criminals use messages or emails to hoodwink users with a link to a fake website that resembles the genuine one. The rigorous verification process of obtaining an SSL certificate makes it difficult for cyber criminals to get one.
If you have an SSL certificate installed, your users are less likely to be duped by such impersonation. When customers see the visual indicators of a secure connection they feel protected and will therefore have trust in a brand.
An SSL certificate from a trusted CA affirms a website’s identity to users. This is an assurance to visitors that they are sending information to the correct server. Impostors can dupe users by setting up a website that is identical to a genuine one and steal information from them.
You can avoid this by obtaining an SSL Certificate from many of the trusted SSL providers. A trusted SSL provider conducts due diligence through several checks before issuing an SSL certificate. Extended Validation SSL certificates for example, require extensive validation that involves provision of documents that prove existence of a business, it’s legal status, owners and verification of a physical address before the certificate is issued.
Further, makers of web browsers use (through third-party audits) a trusted standard such as WebTrust to verify that SSL providers are adhering to established procedures.
For a website to accept credit card payments, it must comply with the requirements of set out by the Payment Card Industry. These audits include security assessments and proper deployment of SSL certificates.
When SSL is implemented correctly it enables the website owner to protect customer data on transit to and from the web server. In the event that the web server is not set up properly to utilize an SSL certificate, the site will fail to meet the PCI standards that will enable acceptance of credit cards.
Google Search Rankings
While Google uses many factors (content, backlinks etc) to rank a website, security has been included as an important consideration for emerging threats. Actually Google has used HTTPS as a ranking signal since 2014.
Google has been rewarding websites which employ encrypted connections with a slight boost in their SEO ranking and labeling those without as “Not Secure.” While the boost may seem insignificant, it is a clear advantage for websites that have SSL encryption deployed.
The basic function of an SSL certificate is security. A connection secured using SSL keeps data that is being transmitted over it encrypted so that nobody can read or modify it while on transit. Only the intended recipient can be able to read the information.
A website with an SSL certificate can be able to perform the following functions securely:
- Managing user logins
- Transactions involving credit cards
- Transactions involving personal details
- Data transfers
Cybercriminals find it easy to intercept data that is being transmitted to and from an unsecured website. An SSL certificate will thwart any malicious attempts to intercept information on transit.
The information being transmitted becomes unreadable to anyone in the middle except the server you are communicating with. This is important because it secures sensitive information from falling in the wrong hands.
As a website owner, SSL does not take care of all your security needs. You must ensure that your web server is not compromised by rootkits, trojans, malware or viruses. Such vulnerability can enable hackers to take control of the server and steal information even when the SSL connection is in place.
Implement robust security precautions such as changing passwords regularly, updating server software and other procedures necessary to secure the infrastructure.
Importance to website visitors
SSL is a security standard that keeps the internet connection between a web browser and the server hosting a website secure. This safeguards all sensitive data such as passwords, banking credentials or email addresses that are being transmitted between the two interfaces.
Any criminal who may intercept this data will be unable to read or modify it because it is encrypted in a form that can only be decrypted by the web browser or server.
Using HTTPS Everywhere
If the website you are visiting does not use SSL (does not show https or a padlock), do not enter any personal or other sensitive information.
You may try using HTTPS everywhere to force all sites you visit to connect securely. This is done by typing https before each url every time you want to connect to a given website. You may also use the HTTPS Everywhere feature, which can be installed on your browser. When installed, this feature will automatically enable an HTTPS encrypted connection for every website visited (as long as that website supports it).
The HTTPS Everywhere feature is available as a browser extension for Firefox, Chrome and Opera. It’s also available for Firefox on Android devices.
The “HTTPS Everywhere” extension is supported by the Electronic Frontier Foundation and is free to download.
Note: All websites do not support HTTPS. In a case where it is not supported, you may have to entirely avoid entering any personal data.
While your connection to a website may be secure, you need to ensure that your device (whether it’s a desktop PC, a laptop, tablet or smartphone) is also secured. Sensitive data can be intercepted at your end, defeating the whole purpose of the SSL connection.
Always ensure that all applications on your device are updated and use a current antivirus program. Run an antimalware program to detect malicious actions of key logging software which can be used to steal your passwords and usernames.
An SSL certificate is an essential part of today’s internet infrastructure. Protecting websites and the information that flows between them and user devices provides integrity, trust and security for everyone involved.
The success of ecommerce depends on security and SSL plays a crucial role in facilitating online transactions through a secure tunnel. Personal information and other sensitive data such as credit card details can be transmitted securely across the internet when SSL is deployed.
Using an SSL certificate will not only secure a website but can increase consumer confidence, increase sales (through trust and repeat visits) and boost search engine rankings.
The advantages of using an SSL certificate far outweigh disadvantages if any. In fact we haven’t come across any disadvantages so far. One limiting factor for small businesses is the cost associated with acquiring the high value certificates like the Extended Validation SSL certificate.
As more Certificate Authorities come onto the market, the increased competition is bound to bring prices down and make it affordable for small businesses. Free services like Let’s Encrypt are also taking the lead in availing this technology to a wider audience.
Using an SSL certificate is an important step for any website, whether it’s for personal use or for business. There is no excuse not to implement this technology whose installation is a breeze with most web hosting providers making available simple instructions.
Every website owner can take full advantage of the HTTPS revolution by giving visitors every reason to trust them with their information and wallets. The extra layer of security and authenticity is a simple way to protect user privacy and build trust. By doing all these, an increase in user engagement on a website will subsequently lead to higher sales.