Seeing “https” at the beginning of a url is typically proof that a site is using an ssl certificate to encrypt and secure the browser session. But, a pop up window warning that the certificate isn’t valid is a sign that something is not right. Warnings like that can scare away your online customer. As a website owner, choosing and buying the best SSL certificate for your business can be a confusing task if you’re not a developer and/or if you have never purchased an SSL certificate.
If you have a web application that requires secure communications like e-commerce then you typically need to use one of a certificate to encrypt the transactions between your servers and users.
Installing and using an SSL certificate for your website shows users that you care about the security of their transactions and are taking steps to secure their web sessions. Not having a certificate to encrypt monetary transactions and/or sensitive data transactions makes you look like an amateur and can scare away your customers.
A little background on how the technology works:
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are protocols that are used to encrypt the traffic that goes back and forth between your website and a user’s browser.
The special encrypted connection is typically made by attaching to a specific communications port on your server that only allows access via encrypted SSL/TLS. i.e. port 443 for your browser or port 22 for remote command line server access.
The simplified steps that happen here are basically:
- First, the client contacts the server and sees what encryption they both can support (cipher and hash).
- Then the server sends a public certificate (identifying itself, server name, the trusted certificate authority (CA) and the server’s public encryption key
- Then the client verifies with the CA that issued the certificate that this is a valid certificate.
- Finally, a session key is generated by the client with the server public key that only the originating server can decrypt with its private key. They now share a secret and trust one another, communicating between each other via encrypted messages.
For those that want to get a little more technical,
3 main things are going on here:
- an SSL handshake between parties is used to authenticate one another
- An encryption algorithm is used to keep the data secure between the two parties
- A MAC (Message Authentication Code) algorithm is used to generate the message digest which when kept intact between parties is used to verify that the integrity of communication remained secure and that the data transmission between the two was not tampered with.
So now, if you need a certificate let’s talk about getting one…
There are 3 different types of certificates that you can use:
- A “self signed” one. (you create it yourself, doesn’t give others confidence that you are who you say you are, but it is FREE! … and sufficient for testing)
- A “Domain validated” one. (a third party, the CA, issues the certificate and verifies that you own the domain that you use it on. This is great way to save money, but doesn’t give users a high level of confidence in your identity)
- A “Fully authenticated” certificate – In this case, the third party (the CA) requests you to provide many types of proof to validate who you are and validate your business, domain ownership, and your authority to be issued the certificate. This gives your users more confidence in doing business with you although this type of certificate typically take the longest time to get and costs the most to purchase.
What you choose really depends on what you need. Just remember, you get what you pay for … and the more expensive certificates have much higher levels of security assurance and offer special perks like transaction insurance, better reliability and even a big green bar to brag about your high level of validation. Like anything else they are not foolproof and have their limitations but SSL certificates are one of the easiest ways to get your users confidence and add security to your site.
For more examples, a comparison of certificate providers and to purchase an SSL certificate check out the following urls: