What is an SSL Certificate
Sometimes when you visit a website, you may have noticed that right next to the website URL, there’s a warning “Not secure”. If you look at the website URL itself, it begins with HTTP and not HTTPS. A couple of years ago, web browsers began marking websites without an SSL(Secure Sockets Layer) certificate as not secure, so as to warn users about a security risk in visiting the website.
An SSL certificate or HTTPS ensures that the site you’re viewing is the site you actually searched for. It ensures that no tampering or modification has occurred between the server and your device. SSL encrypts any communication between you and the website server, and if any traffic is intercepted by a third party, the information they get will be completely garbled and of no use. SSL certificates are issued by a Certificate Authority(CA) who will verify the website before issuing the certificate.
It’s basically like when you’re talking to a stranger over the phone, you have to be sure that
- You’re talking to the person you wanted to talk to – so you get a mutual friend to introduce you.
- If someone else is listening in on your conversation, they should not be able to get information from it.
So the solution is to talk in code.
The SSL also signs the information packet digitally to ensure that there is no tampering. Just like sealing the contents before you courier it to ensure no tampering in between.
So basically, the SSL certificate is issued by a third party(the mutual friend), so you can be sure that you’re seeing the correct website. And it encrypts the communication(talking in code) so that no one can listen in.
The encryption
The encryption part is done using what is called an asymmetrical encryption. Now you can compare encryption to that of using a lock. To open or close a lock, you need a key. And you need to follow a set of steps to lock or unlock(insert the key, turn). In encryption also there is a key, and the steps used to lock it is the encryption algorithm. In the simplest form of encryption, you can replace all the letters of the alphabet with a number.
Now the key to encrypting it will be something like this
HI I AM STEVE
Becomes
9 10 10 1 14 20 21 6 23 6
And the algorithm will be to take the text, replace the letters using the numbers. And the key could be anything. Keep in mind that this is a very simple example. Now, in this case, to decrypt the key, you use the same key and replace the numbers with the letters. This is a case of symmetric encryption; same key for locking and unlocking. The problem with this is that, you need to get this key to the receiver securely and if the key is lost in between, it’s not encrypted anymore.
But SSLs used asymmetric encryption, which requires one key for encryption and another for decryption. Coming back to the lock and key situation, you need one key to lock and another key to unlock.
And this is what is used for SSL encryption.
SSL was developed by Netscape way back in 1995 to ensure privacy and authentication in communications over the internet, but it was last updated in 1996 and what we are using is actually TLS or Transport Layer Security. Even then, the names SSL and TLS are used interchangeably.
Although it was developed way back, it was only in early 2017 that browsers began marking websites without SSL accepting payment information as “Not Secure”, and it was a year and a half later when Google Chrome started marking all websites without SSL. Of course, in the initial days of the internet, encryption itself wasn’t an issue and only banks and similar services used it as it was expensive, but now, having an SSL certificate is necessary.
Why do you need SSL (Secure Sockets Layer)?
Simply put, you can increase the traffic to your website with HTTPS. As mentioned before, Google Chrome, as well as other browsers now mark websites without HTTPS as Not Secure. Now, of course, a very rational question that comes up to your mind is, well, who even cares about HTTPS? Most people don’t even know what HTTPS is, or it’s importance, and even if they do, they won’t bother as long as they don’t make payments on your site. And you’re probably right. Even if everyone doesn’t understand HTTPS, there’s a good chance that seeing your website marked as Not Secure will detract visitors.
Now consider SEO(Search Engine Optimization). Every time someone searches for something on Google( or any search engine), an algorithm examines the query and retrieves results best suited to the query. The algorithms are continuously being updated to get users a better experience. So let’s say that you have a business selling flowers. Every time someone searches “Where can I buy flowers” or something like that, you want your website to come up first in the search results. The ranking in search results depends on a lot of factors, but you can be sure that if two websites have the exact ranking, the website with HTTPS will come up first.
Another question you may have is, why bother having encryption for a simple static site? Why bother having SSL for a blog page? How secure do you want your blogs to be?
Even if you don’t have any payment or forms on your website, the visitors can still be affected by bad actors. Without SSL, attackers can put malicious data into your web pages before it reaches the visitor, and this can affect the visitor in a direct or indirect way. They may insert cryptominers(using the visitor’s computer hardware to mine cryptocurrency) or tamper with your website for phishing (asking for a visitor’s info by presenting as a legitimate entity such as their bank). There’s also a risk of a visitor’s systems being used as DDoS cannon(attacker uses multiple systems, including your visitor’s, to take down a major target), and of course, the risk of your website visitors’ devices itself being compromised.
And modern SSLs can improve your page load times, which will translate to better user experience, higher search rankings, and therefore more traffic.
Types of SSL certificates
Depending on the level of assurance you need to provide your visitors or the level of identity verification involved, there are basically 3 types of SSL certificates.
Extended Validation Certificates
For websites that accept payments or logins or collect data, Extended Validation Certificates are used. These certificates represent the highest level of verification. These are used to protect your visitors from phishing attacks and the name of the business will be displayed in the certificate. To obtain this, the website owner will have to show that they’re legally allowed to use the domain(there are standardised processes for this), you’ll have to show proof of your physical address, phone number, and more. These are also the most expensive SSL certificates, costing $100 to $1000 a year, but you can get one for somewhere around $200.
Organisation Validated Certificates
For websites of organisations and businesses, an Organisation Validated Certificates can be used. Though a simpler process compared to an EV SSL, the website owner has to complete a substantial verification to obtain this certificate. Here also, the name of the organisation is shown in the certificate. Compared to EV SSL, OV certificates are much cheaper.
Domain Validated Certificates
Domain Validated Certificates are the cheapest SSL certificates you can obtain. It is also a simple process completed in minutes and the entire process is online. You only have to prove that you are controlling the domain. The verification is often by a mail sent by the CA to an address in the domain’s WHOIS record or by placing a verification file provided by the CA in the website. While these certificates may not show a lot of trust to the users, for websites like blogs, they are enough. A key difference from EV and OV SSL is that for domain validated certificates, the name of the organisation will not be shown on the certificate.
For these three types of SSLs, there are two subtypes. They are Wildcard SSLs and Multidomain SSLs.
Wildcard SSLs are available only for domain validated and organisation validated SSLs(Not for EV SSLs). With these certificates, you can secure multiple subdomains of a single base domain. For example with a wildcard SSL. you can secure a base domain like domain.com and subdomains like subdomain1.domain.com, subdomain2.domain.com, etc. And like this, you can secure an unlimited number of subdomains.
With a Multi-domain SSL, you can secure multiple domains with a single certificate. These are available for EV, DV, and OV SSLs, and are a cheaper and time-saving way to add SSL to your website. Basically you get one certificate for “domain” and you can use it to secure domain.com, domain.in, etc. You can even get Wildcard Multi-domain SSL, with which you can secure subdomain1.domain.com, subdomain1.domain.in, etc. Basically you can specify “Subject Alternative Names” on these certificates and therefore these certificates are also known as SAN SSLs.
Paid or Free??
For any website owner, minimising the associated cost is important. The only difference between a free and a paid SSL is the support you get for paid SSL certificates. The level of encryption and the security offered by both paid and free SSLs are exactly the same. So, if you are comfortable solving problems on your own(and it’s not hard, you’ll get more than enough resources online), go for a free SSL.
If you click at the lock button on the URL of this website, you can see the SSL certificate, and you can see that it is issued by Let’s Encrypt, a completely free service issuing domain validated SSLs. Do keep in mind that only domain validated SSLs are available for free, simply because it’s not possible to automate the issue of the other two types. But as you can see, in most cases, DV SSLs are enough.
Shared SSLs.
It’s an SSL that is used commonly by all websites in a server and is used for shared hosting services, as well as by CDN providers like Cloudflare. As a thumb rule, if your website is working well with shared hosting, a shared SSL will be enough. But of course, the level of trust among visitors will be low, and if your site has payment, you need to go for a different option.
Self signed SSL
This is probably the easiest SSL certificate you can get, but also the least secure. As the name suggests, the owner of the website verifies the identity of the website. As you can guess, this doesn’t inspire a lot of confidence, and when someone visits the website, the browser will generally put up a warning saying the website is not secure, even though you’ll get HTTPS with a self signed SSL. This option is not recommended, particularly when you can get domain validated SSLs for free.
How to choose an SSL certificate.
If you are simply running a blog or even a small business, a free domain validated SSL is enough. It’s easy, it can be done in minutes and well, it’s free. If you don’t have a lot of experience with websites, get a paid SSL certificate for the support that comes along with it.
For these two, I’d recommend either Let’sEncrypt or Cloudflare.
There are two reasons why Cloudflare is mentioned. First, it’s free, but more than that, even for the free plan, you get email support, and Cloudflare is promising a median response time of fewer than 24 hours. And because it’s a CDN service( basically it stores copies of your website in its servers all over the world, so visitors will get a copy from a server closer to it), your website load time will increase, your search ranking will improve and your traffic will improve. And it’s more or less easy to set up.
Let’s Encrypt is also a completely free service, and the process is fully automated. And this one’s also easy to set up.
Of course, make sure that your hosting service supports these SSLs.
While getting an OV or EV, there are many resources that compare different CAs. Decide if you want a multidomain or wildcard SSLs, but make sure you get that they have 24/7 support. And here’s a detail, it doesn’t matter how much you’re paying, the protection offered by all SSLs are the same, and the authority or authenticity of OV and EV SSLs are equal regardless of the Certificate Authority. You’re only paying for the verification process, and the support(more or less). And most of them offer a warranty as well as a 15 to 30 day refund policy. So basically look out for
- Support offered
- Warranty
- Refund policy
- And decide if you want a wildcard or multi-domain SSL.
Installing SSL.
The specific instructions for installing an SSL certificate is different for different platforms. And if you’re paying for the certificate, you’ll get 24/7 support from the Certificate Authority, and they’ll guide you through the process.
But if you prefer getting to know the complete process before you get started, Digicert has an extensive list of steps for just about all platforms. Do keep in mind that the steps are tailored for certificates from Digicert, but I believe it’s easy enough to modify the steps for all certificates.
On the side of free SSL certificates, you have Let’s Encrypt. While you won’t be getting any tech support, they have extensive documentation as well as dedicated community forums.