What is an SSL certificate: definition and explanation
What is an SSL certificate?
An SSL certificate is a digital certificate that authenticates the identity of a website and enables an encrypted connection. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser.
Businesses and organizations should add SSL certificates to their websites to protect online transactions and keep customer information private and secure.
In short: the SSL certificate keeps Internet connections secure and prevents criminals from reading or changing information transferred between two systems. When you see a lock icon next to the URL in the address bar, it means that there is an SSL certificate protecting the website you are visiting.
Since its inception approximately 25 years ago, there have been various versions of the SSL protocol, all of which at some point ran into security issues. Subsequently, a revamped version was released with a new name: TLS (Transport Layer Security, Transport Layer Security), which is still in use today. However, the initials SSL were kept, so the new version of the protocol is still called by the old name.
How do SSL certificates work?
SSL certificates work by ensuring that data transferred between users and websites, or between two systems, is unreadable. It uses encryption algorithms to encrypt data in transit, which prevents hackers from information being sent over the connection. This data includes potentially sensitive information such as names, addresses, credit card numbers or other financial details.
The process works as follows:
- A browser or server tries to connect to a website (ie a web server) protected by SSL certificates.
- The browser or server requests that the web server identify itself.
- In response, the web server sends the browser or server a copy of its SSL certificate.
- The browser or server evaluates whether the SSL certificate is trustworthy. If so, it sends a signal to the web server.
- The web server then returns a digitally signed acknowledgment to initiate an SSL-encrypted session.
- The encrypted data is shared between the browser or server and the web server.
This process is sometimes referred to as “SSL handshaking.” Although it seems to be a long process, it takes place in milliseconds.
When a website is protected by an SSL certificate, the acronym HTTPS (which stands for HyperText Transfer Protocol Secure) appears in the URL. Without an SSL certificate, only the letters HTTP will appear, that is, without the S for “secure”. A lock icon will also be displayed in the URL bar. This indicates that it is a trustworthy website and gives peace of mind to those who visit it.
To view the details of an SSL certificate, you can click the lock symbol located in the browser bar. These are some of the details that are usually included in SSL certificates:
- The domain name associated with the issued certificate
- What person, organization, or device it was issued to
- Which certification authority issued it
- The digital signature of the certification authority
- Associated subdomains
- Certificate issue date
- The expiration date of the certificate
- The public key (the private key is not disclosed)
Why do you need an SSL certificate?
Websites need SSL certificates to keep user data secure, verify website ownership, prevent attackers from creating a fake version of the site, and to instill trust in users.
If a website asks users to log in, enter personal data such as their credit card numbers, or view sensitive information such as health benefits or financial information, then keeping that data confidential is essential. SSL certificates help keep online interactions private and assure users that the website is authentic and that private information is safe to share through it.
More relevant to businesses is the fact that an SSL certificate is required for an HTTPS web address. The HTTPS protocol is the secure version of the HTTP protocol, which means that HTTPS websites have their traffic encrypted using SSL certificates. Most browsers classify HTTP sites, those without SSL certificates, as “not secure.” For users, this is a clear sign that the site may not be trustworthy, which encourages companies that have not done so to migrate to the HTTPS protocol.
An SSL certificate helps protect information such as the following:
- Login credentials
- Credit card transactions or bank account information
- Personally identifiable information, such as full name, address, date of birth, or phone number
- Legal documents and contracts
- Clinic history
- property information
Types of SSL Certificates
There are different types of SSL certificates with different levels of validation. These are the six main types:
- Extended Validation Certificates (EV SSL)
- Organization Validated Certificates (OV SSL)
- Domain Validated Certificates (DV SSL)
- Wildcard SSL Certificates
- Multi-Domain SSL Certificates (MDC)
- Unified Communications Certificates (UCC)
Extended Validation Certificates (EV SSL)
This is the highest rated and most expensive type of SSL certificate. It tends to be used on high-profile websites that collect data and involve online payments. When installed, this SSL certificate displays the padlock, HTTPS acronym, company name, and country in the browser’s address bar. Displaying website owner information in the address bar helps distinguish the site from malicious sites. To set up an EV SSL certificate, the website owner must go through a standardized identity verification process to confirm that they are legally entitled to exclusive rights to the domain.
Organization Validated Certificates (OV SSL)
This version of the SSL certificate has a similar level of security as the EV SSL certificate, in that in order to obtain one the website owner must complete a substantial validation process. This type of certificate also displays website owner information in the address bar to distinguish it from malicious sites. OV SSL certificates tend to be the second most expensive certificate (after EV SSL) and their primary purpose is to encrypt sensitive user information during transactions. Commercial or public websites must install an OV SSL certificate to ensure that all information shared by the customer is kept confidential.
Domain Validated Certificates (DV SSL)
The validation process to obtain this type of SSL certificate is minimal, and as a result, domain validation SSL certificates provide less security and minimal encryption. They are often used on informative websites or blogs, that is, they do not involve data collection or online payments. This type of SSL certificate is one of the least expensive and fastest to obtain. The validation process only requires website owners to prove domain ownership by responding to an email or phone call. The browser’s address bar only shows HTTPS and a padlock, not including the company name.
Wildcard SSL Certificates
Wildcard SSL certificates allow you to secure a base domain and unlimited subdomains in a single certificate. If you have multiple subdomains to protect, buying a wildcard SSL certificate is much less expensive than buying individual SSL certificates for each of them. Wildcard SSL certificates have an asterisk * as part of the common name; the asterisk represents any valid subdomain that has the same base domain. For example, the same *website wildcard certificate can be used for the following subdomains:
Multi-Domain SSL Certificate (MDC)
A multi-domain certificate can be used to protect many domains or subdomain names. This includes the combination of completely unique domains and subdomains with different TLDs (top level domains), except local or internal ones.
Multi-domain certificates do not support subdomains by default. If you need to protect both www.example.com and example.com with a cross-domain certificate, then both hostnames must be specified at the time of obtaining the certificate.
Unified Communications Certificate (UCC)
Unified Communications Certificates (UCC) are also considered multi-domain SSL certificates. Initially, UCCs were designed to protect Microsoft Exchange and Live Communications servers. Today, any website owner can use these certificates to allow multiple domain names to be protected with a single certificate. UCC certificates are validated at the organizational level and display a padlock in the browser. UCCs can be used as EV SSL certificates to give site visitors the highest possible security through the green address bar.
It is essential to be familiar with the different types of SSL certificates in order to obtain the correct type for your website.
How to get an SSL certificate
SSL certificates can be obtained directly from a Certificate Authority (CA). Certificate authorities, sometimes also known as certification authorities, issue millions of SSL certificates every year. They play a critical role in how the Internet works and how transparent and trustworthy interactions online are ensured.
The cost of an SSL certificate can range from a free certificate to one that costs hundreds of dollars, depending on the level of security you require. Once you decide on the type of certificate you need, you can search for certificate issuers that offer certificates at the level you need.
To obtain an SSL certificate, you must follow these steps:
- Prepare by configuring the server and checking that your WHOIS record is up to date and matches what you are submitting to the certification authority (must show correct company name and address, etc.)
- Generates a certificate signing request (CSR) on the server. This is an action that your hosting company can help you with.
- Submit this information to the certificate authority to validate your domain and company details.
- Install the certificate they provide once the process is complete.
Once obtained, you must configure the certificate on your web hosting or on your own servers, in case you are hosting the website on your own.
How quickly you receive your certificate will depend on the type of certificate you are looking for and which certificate provider you request it from. All validation levels have a different deadline. A simple domain validation SSL certificate can be issued within a couple of minutes of request, while extended validation can take up to a full week.
Can an SSL certificate be used on multiple servers?
It is possible to use one SSL certificate for multiple domains on the same server. Depending on the provider, you can also use one SSL certificate on multiple servers. This is thanks to the multi-domain SSL certificates we discussed earlier.
As the name implies, multi-domain SSL certificates work with multiple domains. The total number of domains depends on the certification authority that issued it. A multi-domain SSL certificate is different from a single domain SSL certificate which, as the name implies, is designed to protect a single domain.
To make matters even more confusing, you may hear others refer to cross-domain SSL certificates as SAN certificates. SAN is the acronym for “subject alternative name”. Each multi-domain certificate has additional fields (ie SANs) that you can use to create a list of additional domains that you want to protect with a single certificate.
Unified Communications Certificates (UCC) and Wildcard SSL Certificates also allow multiple domains and, in the latter case, an unlimited number of subdomains.
What happens when an SSL certificate expires?
SSL certificates expire; they don’t last forever. The Certificate Authority or Navigation Forum , which serves as the de facto regulatory body for the SSL industry, states that SSL certificates must have a shelf life of no more than 27 months . This basically means two years. If you renew the certificate before it expires, you can add up to three months to the remaining time on your previous SSL certificate.
SSL certificates expire because, as with any form of authentication, the information must be periodically revalidated to verify that it is still accurate. The Internet is changing as companies and websites are bought and sold. As owners change, the relevant information on SSL certificates changes as well. The purpose of the expiration period is to ensure that the information used to authenticate servers and organizations is as current and accurate as possible.
Previously, SSL certificates could be issued for up to five years, later reduced to three, and more recently to two years plus a possible additional three months. In 2020, Google, Apple, and Mozilla announced that they would implement one-year SSL certificates , despite this proposal being voted down by the Certificate Authority Browsing Forum. This measure came into force in September 2020. In the future, the extension of validity may be further reduced.
When an SSL certificate expires, it makes the site in question unreachable. When the user’s browser reaches a website, it checks the validity of the SSL certificate within milliseconds (as part of the SSL handshake). If the SSL certificate has expired, visitors will receive the message “This site is not secure. There is a potential risk.”
While users have the option to sign in, doing so is not recommended given the cybersecurity risks involved, including the possibility of being infected with malware . This will have a significant impact on bounce rates for website owners, as users can quickly leave the home page and go to another site.
Keeping track of the expiration date of SSL certificates presents a challenge for larger companies. While small and medium-sized businesses (SMBs) may have one or just a few certificates to manage, enterprise-level organizationswho potentially transact in the markets, and who have numerous websites and networks, will have many more. At this level, allowing the SSL certificate to expire is often the result of carelessness rather than incompetence. The best way for larger companies to stay on top of the expiration of their SSL certificates is through a certificate management platform. There are several products on the market that you can find through an online search. These products allow companies to view and manage the digital certificates of their entire infrastructure. If you use one of these platforms, it’s important to log in regularly so you can stay on top of when renewals are due.
If you let a certificate expire, it will become invalid and you will no longer be able to execute secure transactions on your website. The certificate authority (CA) will ask you to renew your SSL certificate before the expiration date.
Regardless of the certificate authority or SSL certificate service you use, this entity will send you expiration notifications at set intervals, which typically start after 90 days. Try to have these reminders sent to an email distribution list, rather than just one person, in case that person has left the company or taken on another role at the time the reminder is sent. Think about which company stakeholders are on this mailing list to make sure the right people see the reminders at the right time.
How to know if a site has an SSL certificate
The easiest way to see if a site has an SSL certificate is through your browser’s address bar:
- If the URL starts with HTTPS instead of HTTP, it means that the site is protected by an SSL certificate.
- Secure sites display a locked padlock badge, which you can click to view security details; the most trusted sites will have green padlocks or address bars.
- Browsers also display warning signs when a connection is not secure, such as a red padlock, a padlock that is not locked, a line through the website address, or a warning triangle at the top of the browser emblem. padlock.
How to make sure your online session is protected
Only submit your personal data and online payment details to websites with OV or EV certificates . DV certificates are not appropriate for e-commerce websites. You can determine if a site has an OV or EV certificate by looking at the address bar. In the case of an EV SSL certificate, the organization name will be visible in the same address bar. For an OV SSL certificate, you can view the organization name details by clicking the lock icon. For a DV SSL certificate, only the lock icon is visible.
You should be on the lookout for signs or indicators of trust on websites .
In addition to SSL certificates, trusted websites have accredited logos or badges that show that the website meets specific security standards. Other measures that can help you determine if a site is real or not are looking for a physical address and phone number, checking the return or refund policy, and checking that the prices are believable and not too good to be true.
Be alert to phishing scams .
Cyber attackers sometimes create websites that mimic existing websites to trick people into buying something or logging into their phishing site. A phishing site may obtain an SSL certificate, thereby encrypting all traffic flowing between your device and the site. A growing number of phishing scams are taking place on HTTPS sites, tricking users into feeling more trusting because of the presence of the padlock icon.
To avoid these types of attacks, keep the following in mind:
- Always check the domain of the site you are on and check that the address is spelled correctly. The URL of a fake site can differ by just one character, for example amaz0n.com instead of amazon.com. If in doubt, type the domain directly into your browser to make sure you’re connecting to the website you want to visit.
- Never enter login details, passwords, banking credentials, or any other personal information on the site unless you are sure of its authenticity.
- Always analyze what a particular site offers, if it looks suspicious and if you really need to register with it.
- Make sure your devices are well protected: Kaspersky Internet Security checks URLs using an extensive database of phishing sites and detects scams no matter how “safe” the site appears.
Cybersecurity risks continue to grow, but understanding the types of SSL certificates to look for and how to distinguish a secure site from a potentially dangerous one will help Internet users avoid scams and protect their personal data from cybercriminals.