You may have heard something about SSL certificates while building and operating a website, but you haven’t dared to look into the matter in detail until now. But believe me, it’s not as complicated as it sounds.
What is this certificate?
An SSL certificate is a digital signature for a website, which is needed to securely transmit data on the Internet. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted connection between a web server and a web browser.
In simple words, the certificate makes an encrypted connection between users and the site. This ensures that all the information they exchange is protected from outsiders, such as the ISP, the WI-FI network operator and intruders.
How do I know if a website is protected or not?
It’s straightforward – you just have to look in the page’s address bar (also called URL). You should see a closed padlock icon, usually on the left of the link (or directly on it – it depends on your browser) and HTTPS – the extra ‘s’ for “secure”.
Why do you have to go in cipher in the first place? I’m not doing anything illegal.
Because when users enter the site, they leave a lot of information about themselves – bank card numbers, passport details, phone numbers, logins, passwords and much more.
Let’s imagine a situation – you’re paying for an order online, and you’re asked to enter your bank card number. The browser sends this information to the server, where a particular piece of software checks the card’s authenticity and sends a receipt for the purchase. The bank then withdraws the money from the card. You would think, what’s the big deal? But usually, the browser transmits all the information in cleartext. That means that fraudsters can get in the way of this transmission, intercept your card details and use them for their own purposes. This type of fraud is complicated to trace. Usually, everything becomes apparent after the fact, when the money has disappeared from the card, or your account password has been stolen.
That is why online shops, banks, payment systems, social networks, forums – all sites that process personal data and conduct financial transactions – need to protect themselves first and foremost.
So such secure sites cannot be hacked by hackers?
SSL protects the website from intercepting information that the user exchanges with the site. Some SSL certificates also confirm (OV and EV) that the visitor to the web resource is dealing with an official site that belongs to a specific owner. This is especially true when most online shops announce large New Year’s or Christmas sales towards the end of the year. Attackers take advantage of this and create so-called clone sites and phishing pages.
But by clicking on the lock, you can verify the authenticity of the organisation. By clicking on the ‘More information’ tab, you will find the following information
- the domain name to which the SSL certificate is issued;
- the legal person who owns the certificate.
Does that mean that when I enter my username and password on a site that does not have a certificate, they can be stolen?
Yes, the risk of data interception is off the charts. Unencrypted information can be intercepted by an unscrupulous ISP, the site hoster, or an intruder connected to the same WI-FI network as you. Another disadvantage of an unprotected site is that they can collect information that will then be sold to third parties for targeted advertising.
What are the other benefits of SSL for the website owner?
Users get used to the fact that all large projects use SSL certificates. The “Protected” label and the padlock give the website visitor the idea that they and their data are safe.
For example, most browsers and search engines actively fight insecure sites. Google, for example, lowers them in search results and sends special warning pages to the user’s screen.
Also, some payment systems (PayPal) and services (Google Chrome Voice Assistant) work only with websites with HTTPS protocol. If the specifics of your work imply interaction with similar services, we recommend that you install an SSL certificate.
OK, a certificate is needed. Is it the only one like that?
No, there are several types of SSL certificates.
Firstly, certificates are divided into three groups according to the type of how the site will be verified:
- The DV (Domain Validation) certificate validates the domain and encrypts and protects the data during transmission using the HTTPS protocol. Both individuals and organisations can install it on a website. The certificate is usually issued quickly – certainly not longer than three hours. Once the certificate has been published and installed, a padlock symbol appears on the website, and the page becomes protected.
- The second type is OV (Organization Validation) SSL. The main difference is that in addition to protecting the website, it also confirms the domain ownership of a specific company. The certificate is issued only to companies with a verified phone number and legal address. Users can find information about the company that owns the website by opening the certificate’s details. Generally, this type of SSL certificate is issued within 3 days.
- EV (Extended Validation) certificate is the same as the OV certificate. The main difference is that when you click on the lock, the company’s name appears. The point is that the company’s tax and commercial activities are checked in detail. EV SSL is usually issued within 5 days.
Secondly, they may differ in the number of domains and subdomains protected. SSL certificates differ in the type of protection. There are three types of certificates in this category:
- For a single domain. – the certificate will protect the main domain or any subdomain. This SSL is suitable if customers enter personal data on a single website page. For example, this certificate is ideal for a unique website, a blog or a promotional page.
- For several domains. Of the same company. A certificate is also suitable for companies with “mirror” sites in other domain zones. Or, for example, for sites with contests and promotions hosted on a separate domain.
- For subdomains. This SSL will protect the primary domain and all subdomains it is released on, e.g. *.arkhost.org or *.blog.arkhost.org. This type will be suitable for a site with sections on subdomains, e.g. sites where you can create personal accounts – online shops or banks.
Certificates of all of the above types provide traffic encryption between the website and the browser. They also have the additional options we mentioned above:
- WildCard – secures the connection to the domain and all its subdomains.
- SAN – secures domains according to the list specified when obtaining the SSL certificate.
So, where can I get an SSL certificate?
Here too, it is simple – at special certification centres. These centres confirm the authenticity of encryption keys utilising electronic signature certificates. You may have already met such CA names as GlobalSign, Symantec, Comodo, Thawte, GeoTrust, DigiCert.
Certificates are also distributed by the partners, including ArkHost.org.
Why should I need to buy it when there are free certificates?
There are several types of free certificates available. There are projects such as CloudFlare or LetsEncrypt, where you can get a certificate for free and on your own. These certificates are only issued for 3 months and then require renewal (sometimes for a fee). But there are a number of disadvantages to installing and using them. For example, these certificates do not provide a seal of trust. Also Cloudflare certificate is issued for 50 sites at once, which entails security risks. When talking about LetsEncrypt, please note that the certificate is only supported in modern web browsers. LetsEncrypt is fully integrated with all web hosting packages available on ArkHost.
What is the seal of trust?
A trust seal is a special sign that allows visitors to see that the connection to your site and all data transmitted is secure.
There are two types of seal:
- Static – a PNG format image that is attached to certificates with domain validation. When a user clicks on an image they are redirected to a page with information about the certificate.
- Dynamic – the same image, but without link. When hovering the cursor, an embedded window opens with detailed information about the company and the certificate protecting the site.
Visitors see the SSL seal on the site, reassuring them that their connection is secure. You can shop, transfer money, and not have to worry about data being intercepted by fraudsters. And as user trust in the site grows, so does conversion.
We hope you found our article useful and that we helped you understand the issues about SSL certificates. Don’t forget that your clients are not just registering on your website, but entrusting you with their personal data. Don’t let them down, take care of website security now with ArkHost.