Endorsed Encryption: How SSL Certificates Protect Your Website

SSL certificates are important to prove to and assure visitors of an online destination’s claimed identity, and secure the traffic between client and website. Using the internet to access different sites is really just connecting users to virtual locations that claim to be the digital presence for a specific entity. But unlike driving your car to an establishment — say Starbucks — in real life, how do you know the place you’re going to on the internet is the place it claims to be?

Some kind of sanctioned and universally recognized license would do the trick; commercial SSL certificates fulfill that role and meet the demand. Most e-commerce website operators know they need to acquire and use SSL certificates to successfully conduct business, but why is that? What does an SSL cert really do? I’ll explain.

SSL certificate-enabled sites negotiate an SSL/TLS encryption key between themselves and the client browser, then run encrypted traffic over port 443, as opposed to a non-SSL, unencrypted site running traffic over port 80 — HTTPS and HTTP. Suffice to say, an SSL-certified website is much more security-minded than a non-SSL site. You’ll know you’re on an SSL-enabled site if you see the padlock in the far left on the address bar when on that site. Clicking this padlock will disclose more information on that certificate.

Two different kinds of SSL certificates are commonly used: commercially signed and self-signed. Either type does the same thing, establishing and proving a secure connection to a website, but each is normally used for different reasons.

Commercially signed SSL Certificate

This SSL cert type is what a majority of businesses use. As I mentioned earlier, SSL certificates are popular for e-commerce sites, verifying the site being visited is who they claim to be. Of course, there are other uses for SSL certificates, such as running a trusted emailing service, but e-commerce sites are possibly the biggest utilizers.

Purchasing and using a commercially signed certificate from a Certificate Authority (CA) will provide a level of trust on that domain. Although purchasing a CA-signed cert can be expensive, it means that a CA has vetted for your site and it is now deemed trustworthy to the level of certificate assigned (more on this below). Consider it the cost of doing business online. It should be well worth it.

There are currently three different levels of commercially signed certificates. Each level indicates the depth to which this site has been vetted by its CA. You’ll pay more for a deeper vetted certificate.

  1. Domain Validated certificates (DV). Trust-this-site-level = I’ve seen this guy at a party before.

A very inexpensive certificate. The CA checks only to see if the website operator can use the chosen domain name. That’s it. Nothing more. The operator’s identity is not designated as vetted and, consequently, the site is not particularly trustworthy. A website operator would most likely get a DV cert for internal use within a company, but not for external visitors.

2. Organization Validated certificate (OV). Trust-this-site-level = This is my friend.

This is the certificate that website operators would purchase for a website to be considered trustworthy on a public front. A CA will vet the website operator, sometimes going so far as to investigate the operator’s personnel.

3. Extended Validation certificate (EV). Trust-this-site-level = I invited this person to my wedding.

The EV costs significantly more than the OV and DV, but its value in the public domain is acknowledged, respected and remarkable. The CA will check an EV applicant’s rights to use a domain. It will run an in-depth investigation on the entire organization, ultimately, determining whether it is deserving of this extended certificate.

In addition, the CA verifies that the website operator’s company exists, that it’s legal, and that it’s allowed to possess the rights to the domain name. For an EV the CA even runs the applicant’s data against official records. You can find EV guidelines at the CA/B Forum.

Website operators can purchase SSL Certificates from CAs such as Verisign, Comodo, and GlobeSSL. Many more are out there, but these are arguably some of the most popular.

Self-signed SSL Certificates

Lesser understood and, therefore, under-utilized, self-signed certificates can be useful for SSL certificate security. Self-signed certificates cost nothing — one of the biggest reasons these certificates exist and are used.

The important question people wonder when looking at using a self-signed cert: “Can I use this for my e-commerce site?” The simple answer is, “Technically, yes.” But a self-signed cert won’t validate your site as trusted to the public. This isn’t a certificate that’s been vetted by a legitimate, third-party authority; it’s one that has been validated by the owner of the certificate. A website with a self-signed certificate is saying “you can trust me when I say that I am who I say I am.”

When connecting to a self-signed SSL-encrypted site the first time, you’ll most likely be asked by your browser if you trust the certificate, much in the same way that an SSH connection will ask you to trust the RSA certificate. As long as you’re sure it’s the correct location, click accept. Subsequent access to the same site will not generate that prompt again, depending on your browser and settings, the initial prompt having pinned the certificate to the domain, rendering subsequent connections immediate.

When using a self-signed certificate for your own web servers, you can export the encryption key generated on the server and import it to your local browser as a trusted key. Afterwards, your browser should treat the self-signed certificate as trusted, without prompt.

With the above configuration, your computer and the website server would confidently, seamlessly communicate, working in the same manner as if a commercially signed certificate had been in effect. This means that while you’re connected to that same site, over and over, you are protected against some legitimate threats, like Man-in-the-Middle attacks.

The CA from which you receive your certificate typically explains how to set up a fairly uniform and standardized SSL Installation on a/your web server:

  1. Apply for the certificate
  2. Validate as the domain owner
  3. Receive a package of files
  4. Place these files in a specifically named folder within the server
  5. Make a configuration for the HTTPS site
  6. Restart your webserver.

Let’s Encrypt — Exception to SSL certificate rule

Besides commercially signed and self-signed SSL certificates for website verification, you can also consider a third solution: Let’s Encrypt.

Let’s Encrypt fulfills the same purpose as either type of certificate by providing SSL certificates that are trusted by nearly all major browsers.

And it’s free. For many small business owners, “free” is a godsend. Hosting a website for any sort of community becomes much more secure and much less a headache when validity and trustworthiness cost nothing.

I recommend that anyone who is hosting a website give Let’s Encrypt a try. Linode provides a useful guide to get started with it. With guide in hand, any website owner without an SSL certificate will have no excuse not to try Let’s Encrypt. It’ll be configured and running in mere minutes.

SSL certificates are powerful and necessary in today’s digital landscape. A website establishing trust is critical when working in the public domain, and security is absolutely essential when it comes to protecting visitors and customers.

Acquiring SSL certificates addresses both of these concerns. Combined with wonderful tools like Let’s Encrypt, your website becomes trusted, secure for and fully accessible to everyone.

Do you have stories involving your forays into the world of SSL acquisition? Do you have any comments about obtaining SSL certificates? Leave a comment or send a tweet to me, @feelingsohsoh!