The topic of data security is becoming increasingly important for both private users as well as in the business world. As a website owner, you should take all the necessary precautions to ensure that a visit to your site is as secure as possible. Converting from HTTP to HTTPS or SSL is an important step in securing your website and gaining your customers’ trust.
The internet is a wonderful place for many people: freely available information, global communication, unlimited exchange of knowledge. However, not all internet users have good intentions. Time and time again, criminals come up with new methods of retrieving your sensitive data, like e-mail or online banking passwords. To this end, they might set up fraudulent websites similar to those of reputable companies. Unsuspecting users often fall for this scam, unintentionally passing their private data on to criminals. However, harmless sites can also be abused by criminals. If transmissions between you and a website operator’s server is not sufficiently secure, third parties may try to access the data stream.
In order to protect user’s data from this kind of infiltration, standardised SSL certificates have been established. Therefore, a website assures the user (or more precisely: corresponding browser): “your data is safe with us!”
SSL certificates from 1&1 IONOS
Protect your domain starting from only £25/year!
SSL stands for secure sockets layer. This is an encryption protocol in the TCP/IP protocol stack. An SSL certificate serves as binding proof of identity – in addition, the certificate often contains information which allows the browser and server to establish encryption.
What is an SSL certificate?
In the meantime, certificates should no longer work with the outdated SSL, but rely on the newer and more secure TLS (transport layer security). However, colloquially SSL certificates are still the most common term when it comes to encryption protocols. The certificate itself is a data record: a file contains a great deal of information like the name of an issuer, the serial number, or even the so-called fingerprint for encryption. Certificates are available in various file formats. If the website operator wants to use a certain certificate, then they need to install it on the server.
To obtain a certificate, website operators need to contact a certification authority. These organizations are entitled to issue an SSL certificate, but usually charge fees for their services. But why can’t everyone just start their own organisation? The reason is because browser manufacturers like Microsoft, Mozilla, or Google also need to accept the certificates, otherwise the corresponding certificate does not really benefit you. The software company Symantec also had to deal with this issue: After Google withdrew trust from the software vendor, their certificates are no longer supported by Chrome. As a result, Google browser users no longer receive an encryption icon that indicates a secure data transfer when surfing a website that uses a Symantec certificate.
You can read more about the dispute between Google and Symantec and how website operators should handle the manufacturer’s certificates in our article on the topic.
However, a certificate accepted by browsers is by no means valid forever. Each SSL certificate has an expiry date. If this is reached, the website operator must renew the certificate, otherwise the corresponding pages will no longer be shown as secure. Although regular renewal of certificates can be both time-consuming and costly for website operators, it is still necessary. Only if authentication authorities regularly check the integrity, identity, and encryption mechanisms used, can user security be guaranteed.
The SSL certificate does not just state its validity, but also the validity period.
There are several ways to encrypt data transfers. Usually, you need a key to encrypt something and the exact same key to make the message readable again. However, this method does not make sense on the internet, because users often make contact with people or organisations that they’ve never communicated with outside of the internet before. Consequently, there is no way to pass a key without first sending it unencrypted through a publicly accessible medium. Therefore, SSL certificates use a different procedure.
In a public-key infrastructure, you don’t just create one key, instead you create two: a completely public and private one. A message is encrypted with the public key and can only be decrypted with the private key. It is then the public key and can only be decrypted with the private key. This key is then received by the browser through the certificate and used for encryption. There are different methods for coding the information. Here, too, the web server provides the browser with the necessary information through the certificate.
For example, AES (advanced encryption standard) with the SHA256 cryptographic hash function is a commonly used encryption method, but the standards change regularly, since both criminals and crypto experts are constantly working to identify the encryption mechanism vulnerabilities.
What kind of SSL certificates are there?
There are several types of SSL certificates. Although there are different exhibitors with different verification mechanisms, these factors are not decisive criteria. Rather, SSL certificates are differentiated according to, amongst other things, how thoroughly the applicant’s verification is carried out and how large the certificate’s range is.
There are three types of verification. These differ not just in terms of processing time, but also in terms of associated costs. Whilst domain validation SSL certificates are now available for free, individuals and small businesses are rarely able to meet the cost of extended validation.
Domain validation (DV)
Domain validation is the lowest level of SSL certificates: staff verification behind the website address is correspondingly superficial. The authentication authority often only sends an e-mail to the e-mail address specified in the WHOIS entry. For example, the applicant is asked to change a DNS entry or to upload a specific file to his server to signal control of the domain.
The verification process can be fully automated and is therefore not considered safe by many. Some browsers therefore mark a DV SSL certificate separately to point out the lower security standards compared to other certificates. With this form of certificate you will not receive any further information about the website operator.
The “Let’s Encrypt” project, supported by Mozilla, Cisco, and Google, amongst others, offers DV-SSL certificates free of charge. The aim of the project is to encourage all website operators on the internet to use encryption. Today, about 80% of all certificates on the internet originate from Let’s Encrypt.
Organisation validation (OV)
OV SSL certificates are one level higher in terms of visitor safety. As part of the validation, the certification body requests documents from the website operator – usually after the automated domain validation process has been completed. Which documents they require depends on the exhibition organisation, e.g. an extract from the commercial register is sometimes requested. In addition, some authentication authorities contact the website operator by telephone. OV SSL certificates provide internet users with more security, since they closely monitor who is actually running the website in advance. They also offer the advantage of keeping this information visible for every user in the actual certificate himself.
Extended validation (EV)
SSL certificates offered by the extended validation label provide the highest level of security. With this type of certificate, the domain and the organisation associated with it, and the applicant themselves, are checked. It also checks whether the applicant actually works for the specified organization or company and whether they are entitled to request a certificate. Additionally, the certification body also needs to be authorised to carry out extended validations. To be authorized, the site needs to pass a review by the CA/Browser Forum. This is a voluntary association of certification bodies and browser manufacturers.
When you apply for an SSL certificate, you should pay attention to how far it goes – including whether, for example, subdomains fall under the certificate.
A normal certificate is only valid for a single domain. This means that “www.example.com” and all subpages of this website are covered by the same SSL certificates, but their subdomains are not. If you need your subdomains to be covered too, then you need to apply for another certificate or purchase a wildcard certificate.
Some certificates have this title since they work with a wildcard. Instead of entering “www.example.com,” for example, these SSL certificates also apply to all subdomains – i.e. also to “mail.example.com” or “blog.example.com.” They are issued in the form “*.example.com.” The asterisk symbolises the wildcard.
Multi-domain certificates (also called SAN certificates) extend far beyond the reach of single name or wildcard certificates. Many certification bodies offer their customers certificates covering up to 100 domains. For example, applicants with only one certificate can secure both “www.example.com” and “www.example.org.” This is possible if you use a subject alternative name extension – an additional field in the certificate that contains all other domains.
How can I recognise an SSL certificate?
If you are using a current browser, it’s easy to tell whether you’re browsing a website secured with SSL/TLS: take a look at the address bar! There are two things that directly point to encryption: on the one side is a lock symbol and on the other hand the address starts with “ instead of the usual “http://.” The additional “S” stands for “Secure” and signals to users that an additional SSL/TLS level has been added to the Hypertext Transfer Protocol. An additional encryption layer has been added to the TCP/IP protocol stack – between TCP and HTTP.
The (usually green) lock is first and foremost an obvious signal from your browser that the website you are visiting has a valid certificate. In addition, you can also click on it to get more information about the website’s security. Click on it to open a pop-up window with information about the certificate’s issuer, the encryption used and the validity period.
If the website has a valid EV SSL certificate, browsers will display the website operator’s name as well as the green lock. In this way, the browser signals to the user that the visited page offers a high degree of security.
If the website you are on does not have a validated SSL certificate, there will be no green lock or “https://”in the address bar. In addition, some browsers warn users on these websites when they attempt to transmit passwords or other sensitive data to the server. The program then alters them so that their data won’t be intercepted by strangers.
The warning only appears if you can submit personal data on a page. However, Google plans to mark all HTTP websites as unsafe on their Chrome browser from July 2018.
Just because a website does not have an SSL certificate, it does not necessarily mean that a website is fraudulent. However, the risk that criminal third parties steal important personal data from you is higher on these sites than ones with SSL certificates. HTTPS is essentially indispensable, especially when it comes to transmitting sensitive data.