What is an SSL certificate – Definition and Explanation

What is an SSL Certificate?

SSL stands for Secure Sockets Layer and, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.

TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term.

HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.

How do SSL certificates work?

SSL works by ensuring that any data transferred between users and websites, or between two systems, remains impossible to read. It uses encryption algorithms to scramble data in transit, which prevents hackers from reading it as it is sent over the connection. This data includes potentially sensitive information such as names, addresses, credit card numbers, or other financial details.

The process works like this:

A browser or server attempts to connect to a website (i.e., a web server) secured with SSL.
The browser or server requests that the web server identifies itself.
The web server sends the browser or server a copy of its SSL certificate in response.
The browser or server checks to see whether it trusts the SSL certificate. If it does, it signals this to the webserver.
The web server then returns a digitally signed acknowledgment to start an SSL encrypted session.
Encrypted data is shared between the browser or server and the webserver.

This process is sometimes referred to as an “SSL handshake.” While it sounds like a lengthy process, it takes place in milliseconds.

When a website is secured by an SSL certificate, the acronym HTTPS (which stands for HyperText Transfer Protocol Secure) appears in the URL. Without an SSL certificate, only the letters HTTP – i.e., without the S for Secure – will appear. A padlock icon will also display in the URL address bar. This signals trust and provides reassurance to those visiting the website.

To view an SSL certificate’s details, you can click on the padlock symbol located within the browser bar. Details typically included within SSL certificates include:

The domain name that the certificate was issued for
Which person, organization, or device it was issued to
Which Certificate Authority issued it
The Certificate Authority’s digital signature
Associated subdomains
Issue date of the certificate
The expiry date of the certificate
The public key (the private key is not revealed)

Why you need an SSL certificate

Websites need SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users.

If a website is asking users to sign in, enter personal details such as their credit card numbers, or view confidential information such as health benefits or financial information, then it is essential to keep the data confidential. SSL certificates help keep online interactions private and assure users that the website is authentic and safe to share private information with.

More relevant to businesses is the fact that an SSL certificate is required for an HTTPS web address. HTTPS is the secure form of HTTP, which means that HTTPS websites have their traffic encrypted by SSL. Most browsers tag HTTP sites – those without SSL certificates – as “not secure.” This sends a clear signal to users that the site may not be trustworthy – incentivizing businesses who have not done so to migrate to HTTPS.

An SSL certificate helps to secure information such as:

Login credentials
Credit card transactions or bank account information
Personally identifiable information — such as full name, address, date of birth, or telephone number
Legal documents and contracts
Medical records
Proprietary information

Types of SSL certificate

There are different types of SSL certificates with different validation levels. The six main types are:

Extended Validation certificates (EV SSL)
Organization Validated certificates (OV SSL)
Domain Validated certificates (DV SSL)
Wildcard SSL certificates
Multi-Domain SSL certificates (MDC)
Unified Communications Certificates (UCC)

Extended Validation certificates (EV SSL)

This is the highest-ranking and most expensive type of SSL certificate. It tends to be used for high profile websites which collect data and involve online payments. When installed, this SSL certificate displays the padlock, HTTPS, name of the business, and the country on the browser address bar. Displaying the website owner’s information in the address bar helps distinguish the site from malicious sites. To set up an EV SSL certificate, the website owner must go through a standardized identity verification process to confirm they are authorized legally to the exclusive rights to the domain.

Organization Validated certificates (OV SSL)

This version of SSL certificate has a similar assurance similar level to the EV SSL certificate since to obtain one; the website owner needs to complete a substantial validation process. This type of certificate also displays the website owner’s information in the address bar to distinguish from malicious sites. OV SSL certificates tend to be the second most expensive (after EV SSLs), and their primary purpose is to encrypt the user’s sensitive information during transactions. Commercial or public-facing websites must install an OV SSL certificate to ensure that any customer information shared remains confidential.

Domain Validated certificates (DV SSL)

The validation process to obtain this SSL certificate type is minimal, and as a result, Domain Validation SSL certificates provide lower assurance and minimal encryption. They tend to be used for blogs or informational websites – i.e., which do not involve data collection or online payments. This SSL certificate type is one of the least expensive and quickest to obtain. The validation process only requires website owners to prove domain ownership by responding to an email or phone call. The browser address bar only displays HTTPS and a padlock with no business name displayed.

Wildcard SSL certificates

Wildcard SSL certificates allow you to secure a base domain and unlimited sub-domains on a single certificate. If you have multiple sub-domains to secure, then a Wildcard SSL certificate purchase is ~~much~~ less expensive than buying individual SSL certificates for each of them. Wildcard SSL certificates have an asterisk * as part of the common name, where the asterisk represents any valid sub-domains that have the same base domain. For example, a single Wildcard certificate for *website can be used to secure:

payments.yourdomain.com
login.yourdomain.com
mail.yourdomain.com
download.yourdomain.com
anything.yourdomain.com

Multi-Domain SSL Certificate (MDC)

A Multi-Domain certificate can be used to secure many domains and/or sub-domain names. This includes the combination of completely unique domains and sub-domains with different TLDs (Top-Level Domains) except for local/internal ones.

For example:

www.example.com
example.org
mail.this-domain.net
example.anything.com.au
checkout.example.com
secure.example.org

Multi-Domain certificates do not support sub-domains by default. If you need to secure both www.example.com and example.com with one Multi-Domain certificate, then both hostnames should be specified when obtaining the certificate.

Unified Communications Certificate (UCC)

Unified Communications Certificates (UCC) are also considered Multi-Domain SSL certificates. UCCs were initially designed to secure Microsoft Exchange and Live Communications servers. Today, any website owner can use these certificates to allow multiple domain names to be secured on a single certificate. UCC Certificates are organizationally validated and display a padlock on a browser. UCCs can be used as EV SSL certificates to give website visitors the highest assurance through the green address bar.

It is essential to be familiar with the different types of SSL certificates to obtain the right type of certificate for your website.

How to obtain an SSL certificate

SSL certificates can be obtained directly from a Certificate Authority (CA). Certificate Authorities – sometimes also referred to as Certification Authorities – issue millions of SSL certificates each year. They play a critical role in how the internet operates and how transparent, trusted interactions can occur online.

The cost of an SSL certificate can range from free to hundreds of dollars, depending on the level of security you require. Once you decide on the type of certificate you require, you can then look for Certificate Issuers, which offer SSLs at the level you require.

Obtaining your SSL involves the following steps:

Prepare by getting your server set up and ensuring your WHOIS record is updated and matches what you are submitting to the Certificate Authority (it needs to show the correct company name and address, etc.)
Generating a Certificate Signing Request (CSR) on your server. This is an action your hosting company can assist with.
Submitting this to the Certificate Authority to validate your domain and company details
Installing the certificate they provide once the process is complete.

Once obtained, you need to configure the certificate on your web host or on your own servers if you host the website yourself.

How quickly you receive your certificate depends on what type of certificate you get and which certificate provider you procure it from. Each level of validation takes a different length of time to complete. A simple Domain Validation SSL certificate can be issued within minutes of being ordered, whereas Extended Validation can take as long as a full week.

Frequently Asked Questions

What is SSL?

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers. Although the SSL protocol was deprecated with the release of TLS 1.0 in 1999, it is still common to refer to these related technologies as “SSL” or “SSL/TLS.”

What is an SSL certificate?

An SSL certificate (also known as a TLS or SSL/TLS certificate) is a digital document that binds the identity of a website to a cryptographic key pair consisting of a public key and a private key. The public key, included in the certificate, allows a web browser to initiate an encrypted communication session with a web server via the TLS and HTTPS protocols. The private key is kept secure on the server, and is used to digitally sign web pages and other documents (such as images and JavaScript files).

An SSL certificate also includes identifying information about a website, including its domain name and, optionally, identifying information about the site’s owner. If the web server’s SSL certificate is signed by a publicly trusted certificate authority (CA), like SSL.com, digitally signed content from the server will be trusted by end users’ web browsers and operating systems as authentic.

An SSL certificate is a type of X.509 certificate.

What is TLS?

TLS (Transport Layer Security), released in 1999, is the successor to the SSL (Secure Sockets Layer) protocol for authentication and encryption. TLS 1.3 is defined in in RFC 8446 (August 2018).

Do I need a dedicated IP address to use SSL/TLS?

At one time it was a mandatory requirement to have a dedicated IP for each SSL certificate on a web server. This is no longer the case due to a technology called Server Name Indication (SNI). Your hosting platform will specifically have to support SNI. You can find out more information about SNI in this SSL.com article.

What port is recommended to use SSL/TLS over?

For maximum compatibility, port 443 is the standard, thus recommended, port used for secured SSL/TLS communications. However, any port can be used.

What is the current version of SSL/TLS?

TLS 1.3, defined in August 2018 by RFC 8446, is the most recent version of SSL/TLS. TLS 1.2 (RFC 5246) was defined in August 2008 and also remains in wide use. Versions of SSL/TLS prior to TLS 1.2 are considered insecure and should no longer be used.

What are the security issues with older versions of TLS?

TLS versions 1.0 and 1.1 are affected by a large number of protocol and implementation vulnerabilities that have been published by security researchers in the last two decades. Attacks like ROBOT affected the RSA key exchange algorithm, while LogJam and WeakDH showed that many TLS servers could be tricked into using incorrect parameters for other key exchange methods. Compromising a key exchange allows attackers to completely compromise network security and decrypt conversations.

Attacks on symmetric ciphers, such as BEAST or Lucky13, have demonstrated that various ciphers supported in TLS 1.2 and earlier, with examples including RC4 or CBC-mode ciphers, are not secure.

Even signatures were affected, with Bleichenbacher’s RSA signature forgery attack and other similar padding attacks.

Most of these attacks have been mitigated in TLS 1.2 (provided that TLS instances are configured correctly), even though TLS 1.2 is still vulnerable to downgrade attacks, such as POODLE, FREAK, or CurveSwap. This is due to the fact that all versions of the TLS protocol prior to 1.3 don’t protect the handshake negotiation (which decides the protocol version that will be used throughout the exchange).

Malaysia, Penang, Kuala lumpur, Singapore, Brunei, Australia, Sydney, Melbourne, Japan, Tokyo, Osaka.

Contact us:

eSource Software, 17 01, Kapitan Square, Buckingham Street, 10200 George Town, Penang, Malaysia.

Call Us

(006) 012-4377440

Email

esourcetechnology@gmail.com

Website www.esource-malaysia.com

Malaysia Cities: Alor Setar, Semporna, Putrajaya, Sandakan, Kuantan, Johor Bahru, kedah, Alor Setar, Perlis, Kuala Terengganu, Kota Bharu, Miri, Kuching, Kota Kinabalu, Ipoh, Perak, Malacca, Negeri Sembilan, Langkawi, George Town, Penang, Pahang, Selangor, Terengganu, Kuala Lumpur, Sabah, Sarawak, Labuan.

THE BEST 50 CITIES FOR A STARTUP IN THE WORLD

Bucharest, Romania
Cape Town, South Africa
Milan, Italy
Bogota, Colombia
Sao Paulo, Brazil
Budapest, Hungary
Brussels, Belgium
Lyon, France
Lisbon, Portugal
Los Angeles, USA
Frankfurt, Germany
Nice, France
Prague, Czech Republic
Oslo, Norway
Seoul, South Korea
Dublin, Ireland
Reykjavik, Iceland
Vienna, Austria
Sydney, Australia
Shanghai, China
Buenos Aires, Argentina
Santiago, Chile
Hong Kong, Hong Kong
Cologne, Germany
Paris, France
Seattle, USA
Barcelona, Spain
Madrid, Spain
Istanbul, Turkey
New York, USA
Tokyo, Japan
Beijing, China
Zurich, Switzerland
Warsaw, Poland
Munich, Germany
Vancouver, Canada
Toronto, Canada
Austin, USA
Singapore, Singapore
Melbourne, Australia
San Francisco, USA
Amsterdam, the Netherlands
Copenhagen, Denmark
Boston, USA
London, UK
Bengaluru, India
Stockholm, Sweden
Helsinki, Finland
Tel Aviv, Israel
Berlin, Germany