What is Secured Server Certificate (SSL Certificate)?
Basically, an SSL certification changes your website from normal 'http' protocol to an encrypted & secured 'https' protocol. SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites. SSL Certificates make sure:
- - A domain name, server name or hostname is secure (Transactions between the server and client are encrypted meaning https protocol instead of http protocol).
- - An organizational identity (i.e. company name/website name) and location belongs to said organization (not an imposter).
Do I need an SSL Certificate for my website?
I'll give 4 main reasons why websites need SSL:
- 1. E-commerce websites may need to have an SSL Certificate.
- 2. If you're using a form with sensitive customer information then you will need an SSL certificate. This helps keep your customer’s data from being intercepted.
- 3. If your website has a login requiring a user name and password, you will need an SSL Certificate
- 4. If you have social media pages/IDs at social media websites and you want a secured connection between your social media pages/IDs and your own website.
If your website is about just general information about your products and/or services, photo galleries of you products and services, and doesn’t require your customers to login, then you likely do not need an SSL certificate.
Why SSL? What is the purpose of using SSL certificates?
SSL is the backbone of our secure Internet and it protects your sensitive information as it travels across the world's computer networks. SSL is essential for protecting your website, even if it doesn't handle sensitive information like credit cards. It provides privacy, critical security and data integrity for both your websites and your users' personal information.
SSL Encrypts Sensitive Information
The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.
SSL Provides Authentication
In addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to an imposter trying to steal your information. Why is this important? The nature of the Internet means that your customers will often be sending information through several computers. Any of these computers could pretend to be your website and trick your users into sending them personal information. It is only possible to avoid this by using a proper Public Key Infrastructure (PKI), and getting an SSL Certificate from a trusted SSL provider.
SSL Provides Trust
Web browsers give visual cues, such as a lock icon or a green bar, to make sure visitors know when their connection is secured. This means that they will trust your website more when they see these cues and will be more likely to buy from you. SSL providers will also give you a trust seal that instills more trust in your customers.
SSL Protects against phishing attacks
HTTPS also protects against phishing attacks. A phishing email is an email sent by a criminal who tries to impersonate your website. The email usually includes a link to their own website or uses a man-in-the-middle attack to use your own domain name. Because it is very difficult for these criminals to receive a proper SSL certificate, they won’t be able to perfectly impersonate your site. This means that your users will be far less likely to fall for a phishing attack because they will be looking for the trust indicators in their browser, such as a green address bar, and they won’t see it. SSL is required for PCI Compliance.
In order to accept credit card information on your website, you must pass certain audits that show that you are complying with the Payment Card Industry (PCI) standards. One of the requirements is properly using an SSL Certificate.
Disadvantages of SSL
With so many advantages, why would anyone not use SSL? Are there any disadvantages to using SSL certificates? Cost is an obvious disadvantage. SSL providers need to set up a trusted infrastructure and validate your identity so there is a cost involved. Performance is another disadvantage to SSL. As the information that you send has to be encrypted by the server, it takes more resources than if the information was not encrypted. The performance difference is only noticeable for websites with large numbers of visitors and can be minimized with special hardware and web services in such cases.
Overall, the disadvantages are few and the advantages far outweigh them. It is critical that you properly use SSL on all your websites. Proper use of SSL certification will help protect your customers, help protect you, and help you gain your customers trust and offcourse sell more.
SSL Certificate Types
There are three types of SSL Certificates:
- 1. Secure Socket Layer Certificate [SSL].
- 2. Software Signing [Code Signing Certificate].
- 3. Client Certificate [Digital ID].
Secure Socket Layer
Secure Socket Layer [SSL] server Certificates are installed on a server. This can be a server that hosts a website, a mail server, a directory or LDAP server, or any other type of server that needs to be authenticated, or that wants to send and receive encrypted data.
Code Signing Certificate
Code Signing Certificates are used to sign software or programmed code that is downloaded over the Internet. It is the digital equivalent of the shrink-wrap or hologram seal used in the real world to authenticate software and assure the user it is genuine and actually comes from the software publisher that it claims.
Client Certificates or Digital IDs are used to identify one person to another, a person to a device or gateway or one device to another device. Client Certificates are issued in their thousands and millions each year and would be the principle reason for purchasing a CA.
Two people communicating by email will used a client certificate to authenticate or digitally sign their respective communications. This Signature will assure each person that the email is genuine and comes from the other person.
A person that is given access to a secure online service like a database, an extranet or intranet will be authenticated to the gateway or entry point using a Client Certificate. This type of strong two factor authentication replaces less secure usernames and passwords currently in use on many websites.
If two routers or a Virtual Private Network [VPN] connection needs to authenticate each other, a Client Certificate can be used and exchanged to prove the connection is trusted. This type of client authentication occurs deep within the application and is not usually visible to the end user. This type of device-to-device authentication often uses a particular IPSec Client Certificate.
Also, bespoke applications and hardware seeking to utilize IP technology securely can use Digital Certificates to authenticate the application and/or for device-to-device authentication.
What do I need to have before buying an SSL certificate?
- A unique IP address.
Because of the way that the SSL protocol was set up, you will need a separate IP address for each certificate that you want to use. If you don't, some older devices and browsers won't be able to use your site.
If you have multiple subdomains on one IP address, you can secure them with a Wildcard SSL Certificate. If you have multiple different domain names on one IP address, you can secure them with a UC Certificate. You will need to set up SSL Host Headers to do this.
- A CSR.
A certificate signing request or CSR is a piece of text that must be generated on your web server before ordering the SSL certificate. The certificate authority will use the information contained in the CSR (Organization name, domain name, public key, etc...) to create your certificate.
- Correct contact information in WHOIS record.
When you purchase a certificate for a particular domain name, the certificate authority needs to ensure that you own the domain name that you are getting the certificate for and that you are authorized to order the certificate. This is primarily done by making sure that the WHOIS record (the ownership and contact information associated with each domain name) matches the company name and address that is submitted with the certificate order. Some CAs will call the phone number listed in the WHOIS record and many will send an email to the address listed there so make sure you have the correct information listed. You can check the WHOIS record for your domain name here.
- Business/Organization validation documents.
If you are buying a high-assurance certificate, your business must also be validated. Certificate authorities often check government databases online to verify that your company is registered but they may still need you to send in a government registration document if they can't find your business. Each certificate authority has slightly different requirements for validation. If you want to check whether your company is correctly listed and active with your government, try using one of these online searches. If you are buying an EV certificate, you will need to provide even more documentation. Your certificate provider will let you know what you need to provide after you place your order.
How long does it take to get my certificate?
How quickly you get your certificate depends on what type of certificate you get and which certificate provider you get it from. If you get a domain-validated only certificate you will receive it within a few minutes. If you get a normal, organization-validated certificate, you may receive it within an hour to a few days after you submit all the documentation. If you get an extended validation certificate (EV), you may wait several days to a few weeks while the validation takes place before you get the certificate.
Interested in Responsive Static or Dynamic Website Development? Click Here