SSL Certificates: The ultimate guide
Web Hosting Blog
Why is having a https:// so important for your website? Well, it shows your search engine and customers that your site is secure. That little “s” at the end indicates that you have an SSL certificate. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser.
What is an SSL certificate?
SSL certificates work by creating an encrypted link between a web server and a web browser. It protects the privacy of the data passed between the web server and browser. Through this certificate, your data is hidden from ordinary people and only visible to customers and site owners.
Hypertext Transfer Protocol, otherwise known as HTTP, transmits and receives data across the internet, and HTTPS is its more protected version (the version with an SSL).
If you take a look at the navigation bar you will see a padlock followed by https:// rather than http:// this shows that the site you are visiting has an SSL.
Why do you need one?
When customers submit a form on your website, they trust that you protect their data. Without proper protection, hackers can steal their information.
How do hackers steal information? A common method hackers use is intercepting data on an unsecured website by placing a small, undetected listening program on your website’s server. The program hides dormant in the background until a customer begins typing information, activates, starts capturing the data, and then sends it back to the hacker.
This information can include anything from an email address, home address and even your customer’s bank details. Imagine the impact that could have on your business. If word spreads that your site is unsafe, you’ll lose customers, and your brand will be seen as unreliable.
How do you stop this from happening?
By having an SSL certificate!
If your site has an SSL, your customer’s browser forms a connection with their web server, examines the SSL certificate, and then secures their browser and the server. So no one besides you and your customer can see or access the information they input.
Companies that request personal information from customers, such as an email address or payment information, should have SSL certificates on their website.
An SSL certificate helps to secure sensitive information including:
Login credentials
Credit card transactions
Bank account details
Identifiable information — full name, address, birth date, phone number
Legal documents and contracts
Medical records
Proprietary information
Many people believe that they don’t need an SSL if they are not an eCommerce site or a site which offers payment services. The common misconception is that hackers and cybercriminals are only after payment information, including credit cards and banking details. But, they can use any information they can get to cause trouble.
If any pieces of information fall into the wrong hands then they can turn your online life upside down. Even an email address can be used by hackers – they may use it as login credentials, as they can try to use your username login for other websites. Or sign you up to databases that send out scary phishing emails.
Having one means that the details you are collecting are private and ensures the customer that when they see that padlock and HTTPS://, their privacy is safe.
Which SSL certificate do I need?
SSL certificates fall under encryption, validation, and domain number. Additionally, for certificates defined by the domain number, the types are single, multidomain, and wildcard. A Certificate Authority (CA) processes all of the certificates.
Lets find out more about the types of SSL certificate:
A Domain Validation (DV) certificate
The Domain Validation Certificate is the quickest validation you can receive, but it’s also the least secure as it only requires proof you own the domain, not the business.
Verification happens when you add a DNS to the CA. The CA will then review it and see if you have the right to the domain.
One disadvantage to this type of certificate is the lack of an identity check, so you won’t know who is receiving your encrypted information.
Organisation Validated (OV SSL) Certificate
Organisation Validated Certificates verify that your organisation and domain validation exist.
To receive an OV SSL certificate, the CA must first verify the owner of the domain and then check if the organisation is operating legally.
Extended Validation (EV) SSL Certificate
Extended Validation (SV) SSL requires proof that you are authorised to own the domain. It assures your customers that you are legally collecting the data to perform actions like taking a credit card number for online purchases.
If your website processes web payments or collects data, you need to get this certificate as it has a higher level of security and protection.
Wildcard SSL Certificates
With a Wildcard SSL, you can use one certificate to cover the primary domain (www.) and all sub-domains. It’s cheaper than obtaining multiple SSL certificates and is excellent for businesses who have many sub-domains to cover.
For example, if you purchased a Wildcard for example.com, it could be applied to mail.example.com and blog.example.com.
Single Domain SSL Certificate
Single Domain SSLs only protect one domain. Therefore, you can’t use it for subdomains or additional domains.
For example, if you purchase this certificate for example.com, you can’t use it for blog.example.com or 2ndexample.com
Multi Domain SSL Certificate
A multi-domain SSL certificate, also known as a Subject Alternative Name (SAN) certificate or Unified Communications Certificate (UCC), is a type of certificate that allows you to secure multiple domains (websites) with a single certificate. This is particularly useful for organisations or individuals who manage several websites or services and want to simplify their SSL certificate management.
How much does it cost?
When searching for an SSL certificate for your website, you will probably see several companies offering them for free. And the companies that charge for SSL certificates vary widely in cost.
So, which do you need, and why pay if you can get it free? Just because something is free doesn’t mean it’s the best option.
Before we delve deeper into this topic, it’s important to note that every SSL certificate offers the same level of encryption. Both, free and paid-for SSLs, are generally issued with 256-bit certificate encryption and 2048-bit key encryption.
You do not get stronger encryption from paid than you do from free SSL certificates.
Free SSL’s
Free SSL certificates fit into two categories. ‘Self-Signed Certificates’ are the ones in which there is no need for any Certificate Authority to sign them. The second type of free SSL certificate available in the market is a Domain Validation (DV) option.
DV’s may be perfect for a small website or blog, but more is needed for larger websites that collect personal information about their users.
What are the downsides to having a free SSL certificate?
Free certificates cannot be used for securing credit card and personal information on e-commerce websites. To do this, you need to have a certification of your authenticity, which you can only get with Business Validation or Extended Validation SSL Certificates.
Free SSL certificates are only valid for 30-90 days, so you have to renew them frequently.
According to the Anti-Phishing Working Group (APWG), almost 60% of phishing sites use free SSLs to look more credible and deceive their victims.
Paid for SSLs
Although they don’t have a higher level of encryption, they offer extra security:
A certificate issued by a reputable Certificate Authority makes a website more reliable to any customer. Paid certificates allow clients to report any issue to the CA, who immediately investigates them.
Unlike free SSL certificates, which only last for 30-90 days, paid certificates last for a year.
Paid-for SSL certificates give you warranty insurance that covers any damage incurred due to a hack or data breach caused by a flaw in the certificate.
Do I already have an SSL certificate?
SSL certificates are often purchased and then entirely forgotten until you suddenly come across a blog post reminding you how important they are. But, you don’t have to wade through all your website documentation to see if you can find it! CWCS has an SSL certificate checker.
Or you can check for the handy padlock in the address bar and view the details there. By doing this you can see:
The domain name the certificate was issued to
The person, organisation, or device it was issued to
Which Certificate Authority issued it
Certificate Authority’s digital signature
Subdomains
Issue date
The expiry date
The public key
Finally….
If you want to discuss your site security and hosting requirements, get in touch with a member of our team. Our experts are always happy to help you choose the right solution.