Nowadays, online security is not optional for website owners, but rather a necessity due to the constant demand for and commercialization of private data, as well as the leaking or theft of this data from under companies’ noses.
One of the most widely spread methods of enhancing security during browsing is SSL certificate, which guarantee the safe exchange of data between two systems, where one is the client and the other is the server.
If you have no previous knowledge of SSL certificates, then this is a guide you must read carefully. By the end of it, you will have a solid understanding of SSLs and their intricacies and be able to choose the right certificate for your personal or company website.
So fill your coffee mug and let’s get to it!
Quick Navigation: What’s in this guide
This guide consists of the following subjects –
- What is SSL Certificate
- SSL Certificate main functions
- How SSL Certificate works
- Types of SSL Certificates based on validation level
- How many domains can secure with an SSL Certificate
- Difference Between Wildcard SSL Vs SAN Certificate
- How does SSL Certificate affect SEO
- How much does an SSL Certificate cost
- Most Frequently Asked Questions about SSLs
What is the SSL Certificate?
Think of an SSL Certificate as being a safe encrypted channel to transmit data over the web.
The SSL (Secure Socket Layer) creates an encoded connection between a web server and a web browser, protecting sensitive, personal data that are recorded by a website, such as: credit card info, login info (username & password), contact info. In this way it allows for safe transfer of data on the web and ensures that no data will be stolen, altered or falsified.
Read also: How to choose the right SSL Certificate
- Authentication and Verification: The SSL Certificate contains information about the accuracy of the ID of the person or company that has requested its issuance. Visitors are able to verify the website’s identity by clicking on the browser’s padlock symbol on the characteristic trust mark (e.g. the Norton™ Secured Seal). The inspection performed by the Certificate Authorities about whether or not an SSL Certificate should be issued, is very strict and varies according to the type of the Certificate.
- Data Encryption: Encryption is the process behind SSL Certificates that allows for the safe transfer of data (numbers, text or files) through the web. During the exchange of this data, the information is encrypted in such a way, that a third party can’t access or read the data without the encryption “key”.
When a web user visits a secure website, an SSL certificate provides recognition info about the web server and creates an encrypted connection. This process happens in a fraction of a second.
- The Browser (Internet Explorer, Firefox, Safari, etc.) of the user – buyer checks the SSL Certificate to make sure that the site it is connecting to, is secure and to verify the site’s identity.
- The Web server communicates with the browser and the encryption of data in specific bit is activated (usually 128bit or 256bit).
- The browser and server send each other unique codes to be used in the de-encryption process after the data transfer is completed.
- The browser and server are now communicating via encryption. The exchange of data starts and the “SSL safe data transfer” icon appears next to the website’s address bar. The exchange is now considered secure.
Depending on the steps taken by each Certificate Authority to confirm the entity’s identity, we have 3 different types of certification: Domain, Organization and Extended Validation.
- Domain Validation SSL Certificates (DV SSL)
- Organization Validation SSL Certificates (OV SSL)
- Extended Validation SSL Certificates (EV SSL)
The Domain validation guarantees that, during use of the SSL, the exchange of information with this domain will be encrypted and safe. It offers certification on a basic level while, for its issuance, confirmation that the domain name is valid and that it belongs to the entity that asked for the certificate is enough. For this certification no document is needed. All that is required is a simple click on the verification link that the Certificate Authority sends to the owner of the domain name via email. Thus, the certificate is issued and activated without delay.
Its use is recommended for individuals, companies, etc. that need an SSL quickly, without submitting company documents, and for websites that need encrypted exchange of information (e.g. login pages, small scale transactions, email servers, etc.).
Organization validation certifies not just the ownership of the domain name, but also, other information about the entity (organization or company) that requested the SSL. This information includes the name of the entity, the city, district and country that it’s based in. The Certificate Authority searches on bank or local government sources and databases. If the information is not confirmed, documents that prove the identity of the organization and applicant will be requested.
Organization validation certificates are optimal for companies that want, not just encryption capabilities on their website, but to also provide their visitors with verification about their company info. This is recommended for companies of any size, which require the highest level of security to win their customer’s trust and maintain a competitive edge.
What Does EV Certificate Look Like?
Lastly, the Extended Validation SSL are the ones accompanied by the strictest of checks, to verify the organization’s identity. They differ from Organization certificates as they have a different certification process. EV SSL are dictated by the Certification Authority Browser Forum to have 6 levels that require submission of documents:
- Exclusive ownership of the domain name
- Base of operations of the organization
- Legal status and Physical existence
- Operational existence
- Confirmation that the organization is indeed the one requesting the issuance of SSL
- Legal status and Physical existence of legal representative
It’s an ideal SSL for companies and organizations that need to show they have gone through the strictest evaluation, so that they can quickly earn the customer’s trust. It’s recommended for large companies with online and e-commerce services, that wish to keep their competitiveness and communicate quickly to visitors that they are visiting a safe website where their personal info and transactions are protected. The green bar popping up on the browser immediately grasps the visitor’s attention and earns their trust.
A quick depiction of what we mentioned above is this:
Securing personal websites, blogs, email/ftp servers, Facebook apps
Domain + Basic Business
Securing sites that take in customer info (e.g., login credentials)
Domain + Full Business
Securing sites that take in more sensitive customer info (e.g., credit card data)
Every SSL is issued for a specific domain and is tied to it. Because, though, there are cases where an SSL needs to cover more than one domains or sub-domains, various SSL types have appeared, that can support that.
There are the following types of SSL certificate, depending on the number of domains that the SSL certificate can cover.
- Single Domain Certificates – Certificates that can only be used with one domain. They can offer security for only one website, the domain of which has been checked and approved.
- Wildcard Certificates – Certificates that can be used for the security of a domain and all of its sub-domains.
- Multi-Domain Certificates – Certificates for multiple domains. Such a certificate can be used to secure up to 100 different domains, depending on its type and issuer.
These SSL certificates are perfect if you want to encrypt data exchanges in sub-domains that are under the main domain name of your website. This way you can be sure that your main domain, as well as all the sub-domains you manage are protected and encrypted properly. There is much to be gained from this, as the time required to manage all the sub-domains is now significantly shorter and the cost is minimal, since you only need one certificate.
What are the differences between SAN (Subject Alternative Name) and Wildcard certificates?
Wildcard certificates are issued for only one root name (e.g. *.mydomain.com) and can be used for any number of sub-domains based on the main one. Meaning that, apart from the main domain, it can be used for sub-domains such as: ftp.mydomain.com, blog.mydomain.com, mail.mydomain.com etc.
On the other hand, a SAN certificate is a digital security certificate that allows multiple hostnames to be protected by one common certificate. It is also referred to as a Unified Communication Certificate (UCC). What this means is that, under this type of certificate, protection is provided for different domain names of the same website, or even unrelated domain names (e.g. mydomain.com, mydomain.eu and even my-domain.com). Using this has the benefit of saving money and making management easier as you now need only one SSL.
What are the characteristics of a safe connection?
Depending on the type of certificate being used, your clients will have some or all of these services available:
- Lock: This is a globally accepted symbol that shows up on the browser’s address bar and signifies that the location is secure.
- HTTPS environment: A secure website’s URL will start with https instead of http, where the “s” stands for “security”.
- Green Bar: The green color on the browser’s address bar signifies the use of Extended Validation certification.
- Trust Seals: They appear on the website to confirm that the site is secure and evaluated by the Certification Authorities.
Previously, obtaining an SSL Certificate was meant only for websites through which trades took place, such as e-commerce sites. But according to Google’s latest announcement, SSL Certificates are no longer optional. They are a MUST no matter what site you have! And that is because Chrome, the most popular browser by use, will soon mark negatively any site that does not use encryption – meaning any site that doesn’t have an SSL Certificate. Never before were HTTP connections characterized as “unsafe”. They were merely evaluated with an index that could not show lack of security.
But things are changing…
Already, sites that have an SSL are rewarded by Google with better ranking and are receiving the characteristic green lock on their URL (address bar). Very soon, sites that collect user data (account username/password, contact forms, newsletters) or credit card info for transactions, that do not have SSL (non-encrypted) will be marked by Chrome with negative security icons and the phrase “Not Secure” on their address bar. This seems appropriate given that they are handling sensitive personal data, which will have a negative impact on the SEO.
The HTTPS is a ranking factor for Google and it’s only going to become more relevant with time!
Which SSL Certificate is better for SEO purposes?
The truth is that it doesn’t matter what SSL Certificate you install. The only restriction is that the SSL must be verified by a trusted Certificate Authority. What matters is your site being recognized as a secure location, which is achieved by using either an EV SSL or a Regular SSL (DV SSL or OV SSL).
SSL Certificates are available in a wide gamut of prices, ranging from around 10$/year to several thousand $/year. Therefore, it makes sense that this question is one of the most important ones when you’re choosing a certificate.
As we’ve seen above, depending on the validation process, we have 3 basic SSL categories: Domain, Organization and Extended Validation certificates, with the Domain being the cheapest, the EV being the most expensive and the Organization falling somewhere in the middle. Why is that?
Domain Validation does not require any document submissions. The issuance authority sends, via email, a verification link to the owner of the domain that the certificate is being issued for that needs to be clicked to complete the process. That’s why this certificate is issued and activated without delays.
Organization and Extended validation certificates on the other hand, require submission of documents and several manual checks from each Certification Authority. EV are at the top of the pyramid, since they are followed by the strictest certification checks, as dictated by the Certification Authority Browser Forum. For this reason, the delay is also different, with Organization certificates taking 1-3 days and EV certificates taking 1-5 days.
So, the difference in cost is determined by how involved the human factor will have to be in the various stages of certification for the issuance of the SSL.
Other factors that play a role in forming the price of an SSL Certificate are:
There are several types of certificates that differ in their use and, as a consequence, in their pricing. Usually, Certification Authorities offer certification and identification packs, as well as their services for a specific period of time. The price may also vary depending on the level of encryption being used. 256bit encryption costs more than 128bit which is the most common one.
Another factor affecting the certificate’s price is the warranty. The warranty is basically the most that a visitor can be compensated in case their data is mishandled/stolen. The warranty ranges usually from $10,000 to $200,000.
The last factor determining the price is the number of domains it can support, as pricing is different for a certificate that can only be installed on one domain name (DV SSL) and a certificate that can be installed on several domain names (Wildcard SSL).
Does the price of a certificate affects the level of security it provides?
The answer is NO.
Whether you choose a $10 certificate or a $1000 certificate, the SSL will offer the necessary encryption for the data exchanges between your site and its visitors.
So why would you prefer an Organization or Extended Validation certificate?
Because Domain Validation certificates do not require anything to be submitted, anyone can get them. So, while they do offer the necessary encryption, they do not verify the identity of the entity that requests them. This may be a minus point for big companies that operate online services and large-scale transactions.
Organization and Extended Validation certificates offer detailed info on the identity of the organization behind the page. Also, they offer clear optical elements (e.g. green bar) that assure the user the site’s SSL has been checked strictly.
If, other than basic security and encryption, you want to offer your visitors visible proof that your site is using a certificate that has been issued with the higher standards of the market, we recommend an Organization or Extended Validation certificate. With this, you increase the trustworthiness of your site, gain your visitor’s trust and increase your conversion rate.
What is a Certificate Authority?
A Certificate Authority, or Certification Authority (CA), is an entity that is trusted to issue digital certificates. A Certificate Authority verifies the identity and legality of the business or person that requested its issuance and, if the verification is successful, the certificates are signed and issued by the CA.
Those certificates contain information about the website’s ownership, public key, certificate expiry date, owner’s name and other things, depending on the level and type of the SSL. When the client’s web-browser first interacts with the server, it will attempt to verify the signature of the certificate from a recognized CA. Web-browsers come with pre-installed lists of CAs.
If the browser is not able to find the CA in its lists, then it will warn the user that the website’s certificate has not been signed by a legitimate Certificate Authority.
There are many reputed certificate authorities in the market, offering different types of certificates that can be verified by 99% of web-browsers. Every certification authority has its own requirements for verification and validation procedures when issuing its certificates.
What is a Code Signing Certificate?
When buying software physically, from a place they trust, people can be sure that the software is safe to run on their computer. That is not the case, though, when they are downloading software from the internet. One can never be completely sure of what kind of code is going to be executed once they hit that “Run” button. It’s possible, for example, that someone has tampered with the software before letting the user download it.
A Code Signing Certificate, issued by a Certificate Authority, assures the end-user that your software has not been tampered with since it was signed and that you are indeed the creator of this software. Every developer needs this because it makes those perplexing “Unknown Publisher” pop-ups disappear, decreasing the number of cancelled installs. Users (especially the uninitiated) get scared away quite easily when they see a message warning them of potential harm coming from your software. Investing in your software’s certification goes a long way towards making the end-user trust you.
When and Why should I use an SSL Certificate on my website?
Until recently, if a website did not facilitate online trades (e.g. e-shop), then a security certificate was considered… a luxury. Today though, it is NECESSARY. There are many reasons for this, but the main ones are:
The increasing awareness of users about matters of security and management of private data. In simple terms, if you have a web shop but no SSL, then many users will just not buy from your shop.
HTTPS encryption is officially, according to Google, a ranking factor for pages in the SERPs (Search Engine Result Pages). Put simply, if you have an SSL you get a small boost at Google. If you don’t have an SSL, you can just sit around while everyone else is activating their SSLs and moving ahead of you.
Since January of 2017, with Google Chrome’s version 56, sites that require entry of security passwords or credit card passwords, will be marked as “Not Secure” unless they have a valid SSL certificate. In future versions, this indication will be even more intense, with red color complimenting the danger triangle.
Can everyone acquire a digital certificate? (SSL certificate)
Whoever wants to secure their site’s content and allow their visitors to trust them, by issuing a digital certificate, can do so whether they are a person, a business, or a non-profit organization. The certificate’s owner can use it to prove their identity, as it is written on the certificate which is signed by a certificate authority. It functions similar to IDs and is issued by Authorities that are trusted among the users themselves.
What does the browser’s green address bar mean? How can my site acquire it?
When an internet user visits a site for which the browser turns its address bar to green, they know that it is safe.
The site is apparently using some certificate that runs very thorough checks and offers the highest level of security an SSL can offer. This means that communication between browser and website is encrypted, and that the site belongs and is managed by a legitimate company, for which the user can see more info by clicking on the bar with the safe connection indication.
How can you get the green bar for your website?
You will need an Extended Validation SSL certificate.
So long as your certificate has been installed properly, your site contains only safe content and your certificate authority has verified all the info you have provided about the existence and legality of your company (among other info), the green bar will show up on your visitors’ browsers.
Do I need a dedicated IP to install an SSL?
Until recently, to install an SSL certificate you would first need a Dedicated IP address. Nowadays though, there is a relatively new technology called Server Name Indication (SNI) that allows two things:
- You can install one or more SSL certificates for your domains (including add-on domains) on the same account.
- You won’t need a dedicated IP address to install an SSL certificate, and instead, you can use the shared IP address of the server that you are on.
Because some browsers don’t support SNI, hosting providers may be cautious to offer this feature and instead suggest that a dedicated IP is required with better browser support. To avoid any unnecessary trouble, it is best to just contact the company hosting your website to clarify whether it is necessary for you to purchase a dedicated IP address or whether they can provide you with SNI, before you make a decision.
Using an SSL certificate, you protect your customer’s sensitive data and secure your online exchanges with them. Thus, creating a reliable location where your clients can feel safe. SSLs don’t just assure the user that the site is valid, but also the site that the user is inputting correct and valid info. In this way, both the user and the company can have confidence in the safety of their data.
Furthermore, due to the wide use of SSL certificates, users have now gotten used to the nuances of https websites and the various security protocols, and are now actively looking for certificates during their online transactions. Many users don’t trust non-certified sites with their sensitive data and would rather cancel any transaction they had planned.
It makes sense then, that if your goal is to provide services that are safe and reliable, SSL certification is the most important prerequisite.
If you find this guide useful, don’t hesitate to share it to anyone you think might benefit from it.
Bookmark this page (ctrl + D for PC, cmd + D for Mac).