These days, we do most of our stuff online. We shop online, pay bills online, stream movies and TV shows online, meet people online and so much more, thanks to the Internet. We browse through so many websites and trust them with our identity and private data. Recently when Google, one of the biggest search engines, started favoring and rank boosting HTTPS websites, it became important to know and learn about HTTPS and SSL Certificates and to activate them on your website to gain the trust of both your customers and search engines. This article will empower you with the knowledge of why you need it and how it all works.
What are SSL Certificates?
SSL is short for Secure Sockets Layer, which connects your computer to a server that is secure. SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the HTTPS protocol, and is used to establish a secure encrypted connection between a browser (user’s computer) and a server (website). When an SSL certificate is installed on a website, as a user you can be sure that the information you enter is secured and only seen by the organization that owns the website.
Below is the image of how a website looks in the browser when SSL certificate is installed.
Why do you need a SSL Certificate?
Millions of online businesses today use SSL certificates to secure their websites and allow their customers to place trust in them. It’s all about Trust and Security. Consumers feel safe using their credit card info on a website which they trust and one of the way to win over the trust of customers is to have your website work on HTTPS which displays the padlock and the green address bar.
As a user, sharing your personal and private information with a HTTPS website ensures:
- No Network Eavesdropping
- No Man-in-the-Middle attacks
Eavesdropping is the unauthorized interception of a private communication. Without HTTPS, all your private conversation with a server is all plaintext and can be read by anyone sitting on the same network as you are.
Man-in-the-middle (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. It is one of the most common attack practice of cyber criminals.
How does an SSL Certificate work?
SSL Certificates use something called Public key Cryptography.
SSL Certificates need to be issued from a trusted Certificate Authority (CA). An SSL Certificate Authority is an organization that issues digital certificates to organizations or individuals after verifying their identity. The information that it verifies is included in the signed certificate. It is also responsible for revoking certificates that have been compromised. The CA issues certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree. All certificates below the root certificate inherit the trustworthiness of the root certificate.
The Root Certificate must be present on the end user’s machine for the Certificate to be trusted. That is why, most major browsers, operating systems, and mobile devices maintain list of trusted CA root certificates. Any certificate signed by a trusted root certificate will also be trusted. In turn, the signed certificate can sign another certificate and it will also be trusted as long as the browser has all of the certificates in the chain to link it up to a trusted root certificate.
What kind of SSL Certificate should you choose from?
There are 3 broad categories to choose from but depends from need to need.
Some organizations wish to use SSL for encryption whereas some wish to enhance the trust in their identity and security. The 3 basic types of certificates are:
- Domain Validation (DL) SSL Certificate: The CA checks the right of the applicant to use a specific domain name. No information is displayed other than encryption information within the Secure Site Seal.
- Organization Validation (OV) SSL Certificate: The CA checks the right of the applicant to use a specific domain name and it conducts some vetting of the organization. Company information is displayed to customers when clicking on the Secure Site Seal.
- Extended Validation (EV) SSL Certificate: The CA validates domain ownership and conducts extensive vetting of you and your organization.
How to switch from HTTP to HTTPS?
The process of this transformation is as follows:
- Your Server should have a dedicated IP address. SSL Certificates require a website to have its own dedicated IP address. If you don’t have a plan with a dedicated IP, you can check if your current web host will upgrade your account to have a dedicated IP address. If not switch to a host that allows you to.
- Generate the Certificate Signing Request (CSR) on the server. Go to your web hosting control panel such as WHM or cPanel. Go to the SSL/TLS admin area and choose to “Generate an SSL certificate and Signing Request”. Fill out the mentioned fields and submitting the form will give you a Signing Request. You’ll need this CSR to give to the SSL Certificate issuer so they can establish your identity.
- Submit the CSR and organization information to a Certificate Authority (CA). The CSR that you generated in the previous step, submit it to the CA of your choice, pay the amount for the certificate of your choice.
- Have your domain and company validated. The CA will validate your request and send you the SSL Certificate on the Email id you mentioned while generating the CSR.
- Install that SSL Certificate on your website. Once you have the certificate in hand, all you need to do is paste it into your web host control panel. Under the SSL/TLS menu of your control panel find an option of installing the SSL Certificate. Now try to visit your website with https:// instead of http:// and it should work if all steps were done right.
- Modify your website code to use HTTPS over HTTP. To ensure that people can only use specific pages securely no matter what links they come from, it’s best to use a server-side approach to redirect the user if it’s not HTTPS. There are many ways to it ranging from updating your website code to server configuration files. Your choice on whatever is easier to you.
Which Certificate Authority to choose from for your SSL Certificate?
You can buy a certificate for 5,000 INR that does that exact same thing as a certificate sold for 18,000 INR from another certificate authority. It’s the exact same SSL encryption.
Then why the difference?
Trust is the biggest difference. Companies like VeriSign which has been around for longer than other certificate authorities, more people trust them so they can charge more. You are essentially playing for the brand. Below is the list of 5 famous trusted SSL Certificates providers :
Choosing the best and most reliable SSL certificate provider available might be a matter of trust. You may be getting a provider that gives out inexpensive certificates but are not known. At the same time, some of the more inexpensive certificates are just as reliable as the expensive ones. Beyond that, you should take a look at the level of service that your provider is giving you.
Buying an SSL Certificate from a not so known provider just because they’re providing certificates at very cheap rates is not always the best choice. CAs have been hacked in the past and are being actively targeted by cyber criminals. A big provider usually has good counter-measures and defenses in place. Your customers will have to pay the price if the CA who issued you the certificate gets hacked, which in turn will lead to the customers losing trust in our organization. So, choose wisely.
If you purchase a DV Certificate, you can receive it within a few minutes to hours. For an OV Certificate, time ranges from an hour to a few days whereas an EV Certificate takes days to receive because of the extensive checks need to be done by the CA before it issues you the certificate.
Disadvantages of SSL
It is important for you to know few disadvantages of SSL Certificates
Cost is an obvious disadvantage. As mentioned before, certificate prices differ from provider to provider and since there is a cost involved in setting up a CA infrastructure and validating your identity, certificates from trusted providers don’t come cheap.
Performance is another disadvantage of SSL. Because the information that you send has to be decrypted by the server, it takes more server resources than if the information weren’t encrypted but a lag is only noticeable in case of servers with high number of visitors. But even that can be minimized.
Yes, the advantages that SSL Certificates provide far outweigh the disadvantages but you should be aware of them.
Share your views in the comments section below.