Understanding SSL Certificates and Which One your Website Needs
Thursday August 22, 2019
In today’s security-focused world, securing your website, as well as the server it is running on, is an important and necessary task for any website owner. SSL certificates are on the front line of this defense, serving to secure the connection between your web server and your clients. However, it can be an intimidating concept for beginners, given all the various options and different levels to choose from — so how do you know what your website needs? Should you buy the most expensive certificate available, or settle for a free SSL certificate?
What is SSL, anyway?
The primary function of SSL (Secure Socket Layer) is to secure the connection between your website and its visitors by encrypting the traffic while it’s in transit over the Internet. This provides numerous benefits, including combating man-in-the-middle attacks. The idea behind encryption is even if someone along the way can view the data while it’s in transit, they need the encryption keys to decipher it into something readable.
In addition, an SSL certificate serves to validate the identity of a website. For example, if you go to your bank’s website you want to know that the website is indeed operated by your bank, and not by an imposter. This helps to protect against phishing attempts and other fraudulent behavior that can damage your brand, or worse.
Type of SSL Certificates – and what’s the difference?
There are several common types of SSL certificates which you’ll see when you’re shopping around.
The key difference between the SSL certificates is how they are verified, and how much of a vetting process is involved in checking the identity of the applicant. This is done by the issuer of the SSL certificate, known as the certificate authority. Often, the quality of a certificate is tied directly to the reputation of the issuing certificate authority.
Paid SSL certificates typically also come with an insurance policy, providing financial compensation if there is a breach in which the certificate authority could be found at fault. This is vital protection for a website operator who is handling monetary transactions, such as an eCommerce site. Usually, this insurance coverage will increase with a more expensive SSL certificate offering. You would want to check with your SSL vendor if this is important to you.
Domain Validated (DV) SSL
A domain validated SSL certificate is usually the cheapest and most common type of paid SSL certificate. While you do usually place company information into the certificate request, none of this is actually vetted when applying for the certificate.
The only thing checked is that you control ownership of the domain name covered by the SSL certificate. Usually, this is checked by one of a handful of common methods, such as creating a DNS TXT record, receiving a validation email on an administrative contact email address for the domain, or placing a validation code into the website’s code.
A DV SSL certificate from a common certificate authority will be accepted by any major web browser and will show a standard https:// link, sometimes with a green text or a padlock icon to indicate that the site is secure. It is the most common type of certificate and is an everyday sight while browsing the web.
Organization Validated (OV) SSL
An OV SSL certificate is similar to a DV SSL certificate, but additional details of the company registering the certificate will be vetted by the certificate authority. In addition to everything a DV SSL provides, the certificate authority will generally provide a secure site seal, which is an image which can be embedded within the website which visitors can click to get more information about the website owner.
An OV SSL certificate otherwise will appear the same in a visitor’s web browser. The additional vetting is simply an option to provide added credibility to the visitor that the website is being operated by a legitimate business.
Extended Validation (EV) SSL
An EV SSL certificate is the most expensive type of SSL certificate and brings with it the most thorough vetting process. Before issuing an EV SSL certificate, the certificate authority will verify that the applicant company is an existing legal operating entity with a physical place of business, verify applicant details against official records, and independently verify that the applicant company has authorized the issuing of a certificate. Generally, this validation process is the slowest, as it often requires a verification letter to be sent through the mail.
The significant benefit of an EV SSL certificate is that it displays differently in the visitor’s web browser. In addition to displaying as a valid SSL-secured connection, in most web browsers an EV SSL will also display the name of the company in green text just before the URL in the address bar. This increases a visitor’s confidence in the legitimacy of the business operating the website.
What about the free SSL certificate options?
With the push to put SSL on every website, these days there are some certificate authorities offering free SSL certificate options. Some popular options include Let’s Encrypt and cPanel’s AutoSSL. With these options in play, is there a reason to pay for an SSL certificate anymore?
Many website owners can now benefit from the free SSL certificates that are available from such providers. Generally speaking, these SSL certificates are comparable to the lowest end paid certificates, Domain Validated (DV) SSL certificates.
From a security standpoint, generally, there isn’t a downside to using the free SSL certificates from these vendors. They provide comparable levels of encryption and show as valid and secure in any major web browser. One potential downside is that they may require more expertise to set up, though cPanel’s AutoSSL makes the setup pretty straightforward.
Keep in mind, if the insurance provided with paid SSL certificates is important to you, this is generally absent from the free SSL certificates. This reduces the accountability of the certificate authority and therefore may make these a poor fit for websites handling financial transactions or busy eCommerce sites.
Which SSL certificate is right for me?
As always, you should do all the necessary research to make sure all of your bases are covered, but a good rule of thumb might be:
- For a small, personal website, not handling financial transactions (such as an online resume or personal blog) a free SSL certificate or a DV SSL is usually sufficient.
- For a larger site, eCommerce, or any site handling financial transactions a paid DV SSL certificate would be the minimum. If you are concerned about appearing as a legitimate business or insuring your business in the event of a breach, you may want to consider the more expensive certificates such as OV or EV SSL due to the increased insurance coverage and the trust conveyed to visitors by these certificates.
Whichever option you choose, any level of SSL protection is better than none. GigeNET can help you find the right certificate for your business and navigate the process alongside you, from start to finish.