What is an ssl certificate?
SSL stands for Secure Socket Layer and is a global standard security protocol that provides authentication, privacy, and integrity in internet communication between web browsers and servers. Developed by Netscape in 1995, it is an encryption-based protocol, and it has evolved to the modern TLS (Transport Layer Security) used today. Encryption is a procedure that uses an algorithm to code messages or files that can only be accessed by certain people.
Secure websites use the “HTTPS,” meaning they’ve implemented an SSL/TLS, while unsecured websites use the “HTTP.” If you’re interacting with a web server that shows “HTTPS” in their URLs, this means is that whatever information you’re sending across is encrypted and secure and can only be accessed by the intended parties.
An SSL certificate is like a digital badge or certificate installed on a website’s origin server, issued by certification authorities. SSL certificates enable websites to secure the “HTTPS” tag in the URL instead of the “HTTP.” SSL certificates make data encryption possible, and they contain the website’s identity, public key, and other related information. Devices trying to interact with said websites from the origin server will crosscheck this file to obtain the public key before verifying the server’s identity. The private key is secured and kept secret. In cryptography, a public key is a large numerical value provided by a designated authority used to encrypt data.
Information contained in an SSL certificate:
- Domain name: The domain name the certificate was issued to, and if you don’t know, a domain name is a string of texts and numbers linked to a numeric IP address. It is used to access a website. The string of texts a user types into a browser search bar to access a particular website.
- The person, organization, or device the certificate was issued to.
- The certification authority that issued the certificate.
- The certification authority’s digital signature.
- Subdomains associated with the said domain.
- The date the certificate was issued.
- The expiry date of the certificate is also here.
- The public key (the private key is secret).
How SSL/TLS work?
SSL and TLSs work by encrypting data sent across the web to provide a high degree of privacy and security. That means that any attempt at intercepting this transmission will only receive a confusing mix of almost impossible characters to decrypt. An authentication process, usually called a “handshake” between the two interacting devices, is initiated by the SSL/TSL, verifying that both devices are who they say they are. SSL also checks data to prove data integrity, verifying that the transmission contents have not been tampered with. Over the years, there have been more SSL updates, the last being its switch TSL, which was updated in 1999.
In a TLS “handshake,” the user’s device and the web server perform some actions:
- They specify the version of TLS they will use (TLS 1.0, 1.2, 1.3, etc.).
- They will agree on which cipher suites they will utilize. A cipher suite is a set of algorithms that set the general rules of securing a network through TLS.
- They will verify the identity of the server using the TLS.
- They will generate public and private session keys for encrypting messages after the handshake is done.
A cipher suite is created for every communication session. In it are details such as encryption keys or session keys that will be used in each session.
The handshake also handles server identity authentication using public keys. Data has been encrypted and validated; it is signed with a MAC (message authentication code). The user device verifies this MAC to check whether the data has been compromised or not. This is similar to the seals on the caps of medicine bottles. You would know the bottle has been tampered with if the seal has been broken.
Types of SSL certificates
1. Single-domain SSL certificates
A single-domain SSL certificate is to one domain and one domain only. It cannot be used to authenticate any other domain, including subdomains of the domain it is issued to. All pages on the domain are also secured with the certificate too. For instance, if “imdb.com” has a single-domain certificate, then “imdb.com/contact-us” is also covered by that certificate.
2. Wildcard SSL certificates
A WildCard SSL certificate is for a single domain and all the subdomains under it. Subdomains are extensions of main domains, usually having something different from ‘www’ at the beginning of their URLs. For instance, “imdb.com” has some subdomains like “help.imdb.com” and “contribute.imdb.com.” All of them are subdomains under “imdb.com.” Users can view the list of subdomains under a certificate by clicking the padlock button in the browser’s URL window, then clicking “Certificates” (in browsers like Chrome) to view the WildCard certificate details.
3. Multi-domain SSL certificates
Multi-domain certificates or MDC, as the name shows, covers multiple independent domains in one certificate. This means that with MDCs, domains that are not subdomains of one another can be covered by a certificate.
SSL certificate validation levels
Certification authorities need to validate organizations first before issuing SSL certificates, similar to how driving licenses are issued or medical licenses. They ensure the said organization owns and uses the domain. That is what is known as an SSL certificate validation.
There are different levels of validation, ranging from thorough background searches or minimum validation. Any SSL certificate from any of these validation levels provides the same protection by that type of SSL encryption. The only difference is how minimal or heavy the investigation into the organization’s background has been carried out.
– Domain validation SSL certificates
Domain validation is the least strict level of validation. For this validation, the organization only has to prove that they are in charge of the domain. The process is often automatic; however, they could also do this by changing the DNS record associated with the domain or sending the certification authority an email. DNS records are instructions that live in origin DNS servers, providing information such as which IP address is linked to that domain and how to handle domain requests.
That is the cheapest level of SSL certification. It is mostly used for blogs, online portfolios, or small businesses that quickly launch HTTPS, especially if they don’t sell products via the site.
– Organization validation SSL certificates
Organization validation requires a more manual vetting procedure. The certification authority contacts the organization requesting a certificate, and the authority may do some further findings. Organization validation certificates contain the organization’s details like name and addresses, making them look more trustworthy to users.
– Extended validations SSL certificates
This validation requires a full background investigation of the organization. The authorities ensure that the organization exists and is a legally registered business, that their address list is valid, too, etc. This validation takes the longest time and is the most expensive, but they are more trustworthy than all the other validation types. These are the necessary certificates required to turn a browser’s URL window green as that is the color that certifies a trustworthy SSL/TSL encrypted site.
Banks, eCommerce stores, and other large enterprises obtain extended validation certificates since they handle sensitive customer data like passwords, credit card numbers, or monetary transactions on their sites.
How websites obtain SSL certificates?
To be granted an SSL certificate, domains need to apply for it from a certification authority (CA). The trusted, third-party organization investigates domains and organizations to give SSL certificates. The CA digitally signs the certificate with their private key, allowing client devices to access it. Most SSL certificates come with a charge fee, although some CAs do not.
Once the certificate has been granted, it is installed on the client’s origin server. Web hosting services can handle this part for website operators. The website should be able to load with “HTTPS” once the certificate has been installed and activated, encrypting all further interactions with the website.
Services that offer SSL certificates
Here is a list of some services that offer SSL certificates and their price ranges.
1. Comodo SSL
Comodo is a very affordable SSL certificate provider. Although validation could take a while, there have good customer support, especially if the information required for validation isn’t available online. Their “Premium” SSL package costs $54.09 for five years. In the package, you’ll get a validated certificate, 256-bit encryption, and a $250,000 relying on party warranty. Their Domain Validation costs $7.27/year.
DigiCert has been operating independently for some years, and in 2017, they acquired Norton’s website security and related PKI (Public Key Infrastructure) solutions. Their prices aren’t as affordable, although they have interesting Wildcard options and have been further bolstered by Norton’s acquisition.
DigiCert SSL Certificate is $218 (£172) per year, although you might prefer a two-year deal. You can add the Wildcard SANs option, with pricing starting at $605 per SAN.
Cloudflare is one of the certification authorities that offer free SSL certificates due to their globally distributed CDN. A Content Delivery Network, CDN, is a geographically highly-distributed group of servers that help provide fast internet content delivery. Their SSLs are easy to activate, and they have instructions on how you can set up on your origin server as well. You can check them out here.
Do keep in mind that when choosing the right SSL CA, users’ browser keeps a cached list of trustworthy CAs on file. So, if you obtain a digital certificate signed by a body, not on the “approved” list, the browser will alert the user that such a website isn’t trustworthy.
Other CAs are:
- Entrust Datacard
- Network Solutions
Self-signed SSL certificates
An individual could create their SSL certificates by generating a public and private key pair and putting all the needed SSL information in it. These certificates are labled self-signed certificates. The reaosn is that the digital signature used is the website’s own private key, instead of the one from a CA. There is no third-party authority to verify that the origin server is authentic, so web browsers do not trust self-signed certificates and might still show such sites as “not secure” even though it carries an “HTTPS” tag. They might even prevent the site from loading, terminating the connection.
Why websites need SSL certificates?
Data on the internet were originally transmitted in plain text that was interpretable to anyone if they intercepted the message. For example, if a user were to make a payment on Amazon, their card details, name, or even home addresses would have non-concealment as they travel across the web. An attacker could intercept it and do whatever they wanted with that information. Hence, SSL creates this problem by encrypting the information until it reaches the intended website or user. Any third-party that intercepts the message sees a long, meaningless scramble of characters.
SSL also prevents some forms of cyber-attack. It validates websites, making it harder for attackers to create fake replicas of other websites to trick users and obtain data, verifying that the user interacts with the actual domain server and thereby prevents domain spoofing. It also protects data in transit from attackers.
SSL certificates are also important for business owners as it builds trust in their customers using the “HTTPS” tag. This might not be readily noticeable, but most browsers flag sites with only “HTTP” as “not secure” to prompt domain owners to switch to HTTPS and “improve” security.
Updates on SSL and TSL
TSL (Transport Layer Security) is the direct child of SSL. In 1999, an update was developed from Netscapes’ SSL by the Internet Engineering Task Force (IETF), and the name was changed to TSL. Their differences were not huge; the name changes were to show a change in ownership. As a result of how closely related they are, the two names are usually interchanged and often confused. Any authority offering “SSL” nowadays is most certainly offering TLS protection, considering that SSL is now considered to be obsolete. But the name still sticks since that is the term people still search for.
In conclusion, these are the essentials you need to know if you are planning on building a website for your business, blog, or portfolio website to ensure the authenticity and security of your data and to build trust with your customers