A Guide to SSL/TLS Certificates

https-secure-protocol

SSL stands for Secure Socket Layer. An SSL Certificate is a security certificate that encrypts communication between a client, such as a browser, and a server hence safeguarding the data being transmitted from third parties. TLS(Transport Layer Security) is a newer version of SSL. All modern, SSL certificates are actually TLS but, since we are used to the term SSL, that’s what we refer to the new protocols as well.

SSL Certificates have become a very important aspect of the Internet and protocols that use SSL such as HTTPS are moving towards becoming mandatory for an effective Internet presence. It affects your Search Engine ranking and your users trust in a big way. Web browsers and email clients now warn users whenever they access sites or emails that have not been encrypted using SSL. They display a notice that your site/email is ‘not secure’ and make sure to put this in red colour. This picks your user’s interest and will affect their trust in your product.

How SSL Works

The complexity of how SSL works may be hard to grasp. It happens in a few milliseconds and the objective of SSL is to ensure the communicating parties are who they say they are as well as ensuring data being exchanged is encrypted and has not been altered.

To get details on exactly how this process works, please read through Cloudflare’s blog post on how SSL works.

Why is SSL important?

The following 5 reasons demonstrate why your website must be secure in 2020

  • Increase your website users trust. Chrome and Firefox display a ‘Not Secure’ notice prominently on your site if its not running on HTTPS. Well, as the saying goes, people trust Google and if your visitors see the ‘Not Secure’ notice first thing when they visit your site, chances are that they won’t be return visitors. Avoid the insecure HTTP protocol as there are plans to face it out soon.
  • Allows you to use latest web technologies. As far as plans to wipe out HTTP go, the introduction of HTTP 2.0 aka HTTP/2 goes a long way. This protocol is an improvement of the older HTTP protocol and is secure and faster. But the catch is, it only works with SSL.
  • You get better SEO rank with HTTPS. Basically, Google awards more SEO points to sites that use HTTPS than sites that use HTTP. Holding all factors constant, your site cannot rank higher on a keyword if it uses HTTP than a competitors site that uses HTTPS. Why loose the upper hand on this? Its easier to secure your site in HTTPS.
  • Some useful mobile features are only available on HTTPS. We all agree that a huge amount of traffic to our sites come from mobile users. Mobile phones have become more powerful and feature oriented making them more convenient for use in most sites. However, some features such as access to camera and microphone, browser geolocation and full screen feature are only made available via HTTPS. If your site delivers these features, you must use HTTPS.
  • Gmail, the worlds most popular email, notifies users when you don’t deliver mails securely. If you send mails from a mail server that does not use SSL/TLS to encrypt mail, Gmail warns its users that your mail was not delivered securely. What users get from this is that your server is not secure or that you do not care about their security as your users. Imagine running an ecommerce site and sending emails to your users on order details using an insecure email server resulting to the notice above? The user may end up not completing the purchase after-all. Remember, most users are not technical and when Google tells them ‘Not Secure’, they trust this and fill out all other blanks for themselves.

The Process of Obtaining an SSL

Installing an SSL is a process that varies depending on the platform and web server you are using. However, the process of acquiring an SSL certificate is the same and follows this steps:

You will access your web server and generate a Certificate Signing Request (CSR). This process also creates a private key which is critical for operation of an SSL. Then using the CSR, you will request for an SSL from an SSL vendor. Basically, this means you will enter your CSR in a form and fill in a few details then submit it to the CA. The CA will then authenticate your ownership of the domain before issuing you a certificate. Once you get this, you will attach it to your web server so that it can be used to secure your connections.

What types of SSL are available

Now that we know just how important an SSL Certificate is, how do we obtain one and what SSL certificate options are available for you?

There are various ways to classify SSL certificates. I will try to use several criteria here adding examples of such SSL brands to better make you understand.

Self-signed SSL vs Validated SSL

Who gives SSL certificates? Why should you trust that when you enter your details on a site that has SSL, the details are indeed transmitted securely?

SSL certificates are issued by organizations called Certificate Authorities (CA). CA are mandated to validate and issue SSL certificates for domain names. Basically, they issue this after you request for it using a Certificate Signing Request.

Looking at SSL from the point of view of who issues the SSL, we can classify SSLs into two: Self signed SSL and Validated SSL. Self signed SSL are SSL certificates that are generated and issued by a web server without validation from a CA. Though they encrypt data in transit, self signed SSLs do not show the green padlock and are normally display a warning on the browser because they are not validated by a third party, i.e a CA. Self signed SSL is like issuing yourself a drivers license or ID card. If you would do this, it would mean no one validated your information and therefore, we cant really trust that you are who you say you are on your ID, simply because you created that ID and issued it to yourself without a third party validating the information in your ID.

Validated SSL is an SSL requested for and issued by a third party organization whose job is to validate and issue SSL to individuals and organizations. These SSLs are designed to meet a specific industry standard and do show a green padlock (nowadays grey padlock) without warnings when used. These SSLs are issued by Certificate Authorities.

A major difference between self signed SSL and premium SSL is that, self signed SSL can have thousands of days of validity period while premium SSL has a maximum validate of 2 years after which it must be reinstalled.

Common Certificate Authorities

Some of the most popular CA is the world are: Sectigo, Digicert, Symantec, Lets Encrypt, Cloudflare.

Let’s Encrypt offers absolutely free SSL for life. Yes, you don’t need to pay anything for your SSL. You can use Let’s Encrypt which is an industry standard SSL certificate provider.

Sectigo, Digicert, Symantec, Godaddy, Amazon etc are some of the CA that offer commercial SSL. Sectigo is arguably the biggest of these CA. Digicert is also very popular and has bought up some of the other commercial CA such as Geotrust, RapidSSL, Thawte etc.

Cloudflare offers free SSL as well. Cloudflare’s SSL is provided by validating a self signed SSL issued on your web server. You can also issue a SSL from Cloudflare dashboard if you do not have a self signed SSL.

Free SSL vs Premium SSL

A few years ago, all SSL was premium and CA used to make a fortune out of selling SSL as demand increased. However, the prices of SSL became more and more affordable as the CA became more in number, the need for secure web became higher and the coming into market of Let’s Encrypt CA which offered free SSL for life. As a result, you can now get premium SSLs for as low as $3 and more importantly, you do not need to spend any coin for SSL as Let’s Encrypt provides free SSL for everybody. Cloudflare also validates your self signed SSL freely and effectively provides free SSL for your domain as long as you use Cloudflare nameservers for your domain.

The prices of premium SSL varies depending on the features provided and the CA issuing the SSL. Certificates that include wildcard (ie secure your domain and all its first level subdomains) are more expensive than non-wildcard SSL. Also, multidomain SSL (ie those that secure multiple domains at the same time) are priced higher than single domain SSLs.

Authentication Levels

SSLs can also be classified using authentication methods. Under this criteria, we have 3 types of SSLs:

Domain Validation, Organization Validation and Extended Validation SSLs

Domain Validation (DV) SSLs are the most popular SSLs. They are SSL Certificates that are provided once you are able to prove ownership of the domain name. This proof is normally done by clicking a validation link sent to your email or uploading a file provided by the CA to a specific location in your web root or by adding a CNAME to your DNS entry. DV SSLs can be issued within minutes.

All free SSL are normally DV SSLs. These SSLs are also the most affordable premium SSL offered by various CA. They could be single domain, multi domain or wildcard SSL.

Organization Validation (OV) SSLs provide higher authentication. To have this SSL issued, you must prove the legitimacy of your organization. The details you use to request for the SSL in your CSR must be collaborated by a third party source that is reliable, such as your country’s business record database. You also receive a call from the CA to verbally verify the details of your organization. OV SSLs are expensive and take longer to issue due to the process involved.

Extended Validation (EV) SSLs provide the highest level of trust for an SSL certificate. Issuance of EV SSL comes after extensive vetting of the organization and the validation process has a few more steps than for OV certificates. For older browsers, this SSL could show the actual name of the organization on users address bar, next to the green padlock. This however has been removed in higher versions of the browser and will soon be done away with completely. You can check this article on why Google and Mozilla removed the green bar from EV SSLs. EV SSLs also take longer to issue due to the steps involved in verification of the organization.

Note that, even though these SSL types require different authentication steps, all of them offer the same encryption standards set by the industry. Don’t be tempted to think that EV or OV SSL are more secure than DV! That’s a myth!

Single Domain, Multi Domain and Wildcard SSLs

SSLs can also be classified based on the number of domains/subdomains they can secure. The most basic SSL secures a domain name and its www subdomain. All SSLs must at least do this.

In addition to this, we have Wildcard SSLs that secure a domain and all its subdomains. This is normally represented as *.domain.tld in your CSR when requesting for the SSL.

Multidomain SSL are certificates that allow you to secure more than 1 domain name with the same SSL. Unlike the single domain and wildcard SSL that only handle a domain at a time, a multi domain SSL allows you to secure different domains. This comes in handy for organizations that have several domain names. You can simply use one SSL to secure all domains, this helps with management of the SSL – you don’t need to track expiry of so many SSLs for your many domains.

We also have Multidomain-Wildcard SSL. Now that we know what wildcard and multi domain SSLs are, this SSL is simply a combination of the two. It means you can secure several domains and all their subdomains with a single SSL! Of course due to this, the SSLs are normally very expensive.

Conclusion

As far as the web standards go, the one thing that is certain is, SSL/TLS will be a mandatory requirement for all services in the web. Websites, Emails and all. More organizations such as Lets Encrypt will come up and offer free SSL and even at this time, no one has an excuse not to encrypt their website given that SSL is provided for free and made easier to install by use of click buttons in web panels like cPanel.

Personally, my favourite SSL is Let’s Encrypt because they are free and automated. With LE, you just need to install the SSL once and its renovation can be carried out automatically using cron jobs! Web panels like Plesk, cPanel, CWP automate the initial issuance of the SSLs for host names and renewals going forward. On Windows Servers, programs like Certify are provided to issue free SSL for domains on IIS and renew them automatically when they are about due. Lets Encrypt is a game changer and has redefined how certificates are issued and how the web can be secured.

Leave a Reply

Your email address will not be published.