The security of your hosting environment, website, and client interactions is more important now than ever before. With constant threats and attacks you want to ensure that your visitors trust that you have their security in mind and are active in protecting their information. Providing a secure connection to your website with a Secure Socket Layer (SSL) certificate is one of the easiest methods of demonstrating to your visitors that you take security seriously. However not all SSL certificates are considered equal or provide the same assurances. Determining which is best for you and your business is an important choice and depends on your particular needs.
What is an SSL Certificate?
To decide which SSL is best for your business you first need an understanding of what an SSL certificate is. An SSL certificate is a digital “certificate” (basically a file) that is used to provide encryption and decryption between a host (you) and a client (your visitor). This certificate certifies ownership and authenticity of a domain. In other words: it tells your visitor (and more importantly: their browser) that the domain they are visiting is actually the domain they believe they’re going to and that it belongs to who they think it should belong to. This certificate also allows their browser to communicate with your website in a safe, secure manner. When looking at the URL / address bar in the browser and you see https, the “s” portion represents the secure connection that the SSL certificate provides.
How Does An SSL Work?
Before you can choose which SSL best suits your needs you should also understand the process of how an SSL is used. The basic idea is to create a “chain of trust”; a path that begins at your computer with your browser, and ends with an organization that provides the SSL certificate known as a “Certificate Authority” or “CA”. When visiting a site your browser looks at the SSL certificate and starts to “follow” the information it contains, reviewing each step and making sure that the component is digitally “signed” by an organization or CA that your browser trusts. By following this path your browser can guarantee that the information it receives from a site is accurate since each step verifies the last, ending at the CA which has a specific agreement with your browser [1].
Additionally, your browser uses the SSL certificate to establish a secure connection to the server of the website you are visiting. There is a back-and-forth series of messages to negotiate or confirm that the site and your browser can communicate securely and that the website your browser is visiting is truly the website you believe you’re at.
[1] – This is part of the reason why SSLs may have a charge associated with them. The Certificate Authority has to be approved by each and every browser it wants to have SSL certificates recognized by. This is part of the labor cost and is a time consuming and difficult process. It also is the reason why SSL certificates can be trusted: not just anybody can start a Certificate Authority and issue SSL certificates that will be trusted by the most commonly used browsers.
Types of SSL Certificates
To determine which SSL is best for the business or site you operate you should also understand the different types of SSLs and the way that they can be used. This article will touch briefly on four types of SSL certificate that you can choose from:
Self-Signed
This SSL certificate is one that you create and essentially “sign” yourself, stating that you are who you say you are and your site is the site it proclaims to be. These are fine when working with a site that only people you know / trust will be accessing it. They don’t have to worry about the authenticity because they already know exactly who is operating it and that it’s safe. These should not be used for any type of online business or site where random visitors will be stopping by since self-signed certificates will present an error / warning in most browsers about not being trustworthy (which can scare visitors / customers away).
Single Domain
The single domain SSL certificate is going to represent exactly what it says: a single fully-qualified domain name. This does not support any type of subdomains of a domain unless that is what the SSL is specifically configured for (so an SSL for mail.example.com will only provide security and authenticity to mail.example.com, not www.example.com). Additionally, alternate top level domains (TLDs) such as .net, .org, etc… are not covered automatically unless an SSL certificate is explicitly purchased / configured for that domain name TLD.
Wildcard
The wildcard SSL provides security and authenticity for all subdomains of a domain name. The term “wildcard” is representing any and all possible sub-domains that could be used with your primary domain name. This is especially useful if you are unsure how you could utilize sub-domains for your business or know that you have a large number of subdomains that need coverage (enough that the increased cost of a wildcard subdomain is cheaper than buying individual single domain SSLs to cover all your subdomains).
Multi-Domain
The multi-domain SSL, rather than focusing on covering multiple sub-domains provides coverage for multiple hostnames. These Subject Alternative Names (SAN) are listed on the SSL certificate and your browser checks each one individually when visiting a site. After receiving the SSL certificate and reviewing the SANs your browser will identify if the domain matches one of the SANs and if so create the secure connection. This type of SSL is extremely useful if there are multiple domains that you control that you want protected or that all relate to your business as you only have a single certificate to manage and keep updated / configured on your servers.
Validation Levels
Aside from specific types of SSL certificates being offered the various Certificate Authorities can provide different “validation” levels to prove that the owner of the SSL is who they say they are. The various types of validation present themselves differently to your browser and provide visitors to sites using the SSL a visual confirmation of the SSL connection. Further: the degree of validation that went into proving the requestor / owner of the SSL is who they say they are is increased with the various levels offered depending on the needs for your business. A quick breakdown of those validation levels is as follows:
Domain Validated (DV)
This is the most common and easiest validation level to pass. The sole qualifier is that you prove that the domain you’re ordering an SSL for is under your control. This could be responding to an email sent to an address at that domain to modifying a DNS record for the domain so an automated system can review it. This validation method usually takes a few minutes to a couple of hours at most. Browsers will display a lock icon on the address bar indicating that a secure and encrypted connection to the site provided by SSL is being made.
Organizational Validated (OV)
This is a more in-depth and detailed validation. The owner or business is actually contacted and paperwork has to be submitted proving that your business is a legitimate business. The name of the person or organization is associated with the SSL if reviewed; however browsers will display the same visual indicator as with a domain validated SSL. This can usually be completed in a couple of days.
Extended Validation (EV)
This is the most complicated level of validation and takes upwards of a week or more. Public records are utilized to prove the location of your business, that your business exists / is legitimate, and typically requires in-person / over the phone communication to provide additional verification and information. This is an extreme vetting process that requires lots of back and forth communication and follows strict guidelines.
Why are SSLs Important?
This article has briefly touched on why an SSL certificate is important, but it’s critical to expand on that point as security is an ever growing need for businesses to take seriously. Customers come to expect that their data is protected and that they can trust the sites they visit. Losing that trust means losing business and reputation.
There are three primary reasons for SSLs: privacy, authentication, and data integrity. The first, privacy, is extremely important as the SSL certificate and encrypted connection it helps create protects the information your clients give you from being intercepted and viewed in “plain text”. This prevents your client information such as credit card numbers, usernames, or other personal data from being intercepted by malicious attackers.
This leads into the second point: authentication. SSLs help ensure that only the source and destination know what that data is and can use it, but also to prove to the source that they’re communicating with whom they expect to be communicating with. The SSL certificate is a quick and easy way to prove that a domain is legitimate, that a business has been vetted, and that the site a visitor is viewing is the one they expect to be seeing. Phishing sites are extremely common but due to SSL certificates and the vetting process it’s highly unlikely
Lastly, data integrity. In simple terms this means that the information a visitor sends you is the information you receive (and vice versa). This is just as important as the other two aspects since we want to ensure that if we make a financial transaction or purchase request that that request is interpreted correctly. The SSL certificate and the encryption / data integrity it provides allows businesses to provide their visitors with a level of certainty that what they ask of you or send you is what you receive.
All of the above points are extremely important for any entity on the internet today. Banking, medical, transportation, and shopping industries depend on protecting data communication. Compliance and regulatory organizations such as PCI or HIPAA have stringent requirements in order to be approved and an SSL certificate is almost always at the top of the list.
What Makes a Good / Better / Best SSL?
There are a few factors that are different among the various types of SSLs and how they are acquired. The first that you need to be aware of is key length. The easiest way to remember key length and what you should get is that bigger (longer keys) are better and provide stronger security. It’s common practice to now order an SSL with 2048 bits for the key length. You should no longer order SSLs with 1024 bit key lengths as those have been proven to be ineffective and can easily be broken by malicious attackers to snoop on data between your site and visitors.
Above I talked about certificate authorities and how not all of them are accepted by all browsers. This is a major component to consider when acquiring an SSL certificate since you need to know your audience and whether they may be using obscure browsers or only the popular variants. The larger base a browser has the more picky it will be since it needs to ensure that it provides the utmost security for the users it has to consider. The more well established certificate authorities also work to protect their reputation and want to be known for taking their vetting process seriously so as to be thought of as aiding individuals who may have malicious intent behind their SSL requests.
Lastly, the purpose for why you want an SSL. Today we see a push from every major tech company to “secure the web” and utilize SSL across the board. Every site should try and strive for providing the utmost security possible (or practical) to their visitors. SSL certificates, while necessary for businesses, are even relevant for simply informational and news related sites like blogs. Having an SSL for a blog can provide that security and confirmation to visitors that they are at the blog they expect and not a knock-off or phishing attempt or even someone attempting to pass along false information (such as a security blog telling people to use simple passwords).
What SSL Is Best For Web Server Hosting?
With our understanding of SSL certificates and how they are used we can now examine what is best for the common web server and hosting industry. While security is extremely important for any type of presence online we rarely see the need for the extreme vetting that EV SSL certificates require. The medical, financial, and transportation industries tend to have visitors that are wary and initially cautious simply due to those businesses being frequently imitated and targeted for malicious attacks. Additionally, they have stringent requirements for security guidelines that they are required to follow by law. EV SSLs are ideal for them, but not for the typical web server for a business online.
The organization or domain validated SSL is the ideal choice of validation for the overwhelming majority of businesses online since they’re faster to acquire and provide the same level of protection and visual confirmation. Unless you feel that having certain aspects of your business be identified by the SSL, a DV SSL with simple domain control validation is the SSL that best suits most people, businesses, and sites online.
In terms of what type of SSL to get, I frequently recommend that people plan for the future. The wildcard SSL allows you to provide simple SSL protection for your domain while also providing the freedom to expand with any subdomain that comes within the scope of your business plan or the needs of your site. You may not need to provide SSL protection for your sub-domains, but having the option is always better. Further: by having a single SSL certificate to keep track of you no longer need to be concerned with multiple certificates expiring on different days, reducing operational complexity. A single certificate simplifies replication across multiple web servers and eases administration duties, ultimately reducing your costs and risks.
Conclusion
Overall, only you will know the needs that your site online has and how to best fulfill them. Using an SSL certificate to protect your site and visitors is one of the easiest ways to convey that you take your presence online seriously and the security of your visitors as a priority. Thinking about the growth of your business and where you see your site going can help prevent technical issues for your web servers and how you protect them down the line.
