The Internet is a wonderful place for many people: free access to information, global communication, unlimited exchange of knowledge, etc. But unfortunately, not all users of the World Wide Web have good intentions.
Hackers, for example, have always invented new methods to recover sensitive data, such as emails or online banking passwords. To this end, for example, they have created fraudulent websites similar to those of reputable companies.
Uncautious users quickly fall into the trap and unwittingly hand over personal data to criminals. Even harmless sites can be used by hackers: If the transmission between you and the server of the website operator is not sufficiently secure, third parties can gain access to the data stream.
In order to protect the data of Internet users against such criminal activities, standardized SSL certificates have been established. Thus, a website assures the user (or more precisely: the corresponding browser) and can assert: your data is safe with us!
SSL stands for secure sockets layer. It is an encryption protocol in the TCP/IP protocol stack. An SSL certificate serves as binding proof of identity. Also, the certificate often contains information with which the browser and server can establish encryption. Today, most certificates are based on Transport Layer Security (TLS) technology by default, but the old name is still used.
What is an SSL certificate?
Today, the certificates no longer work with the outdated SSL, but rely on the newer Transport Layer Security (TLS), more secure and newer. However, in practice, we still most often talk about SSL certificates when it comes to securing websites and servers with encryption technologies.
The certificate itself is a simple record of data: a file that contains a large amount of information, such as the name of the issuer, the serial number, or even the fingerprint for encryption. Certificates are available in different file formats. If the website operator wants to use a certain certificate, he must install it on the server.
To obtain a certificate, website operators must contact a certificate authority. These organizations have the right to issue an SSL certificate, but they usually charge a fee for their services.
But why can’t everyone just start their own organization?
The reason is as follows: browser vendors such as Microsoft, Mozilla, or Google must also accept certificates, otherwise the corresponding certificate has no advantage whatsoever.
The software publisher Symantec experienced this problem, Google withdrew its trust from this publisher and the certificates are no longer supported by Google Chrome. As a result, users of Google’s browser no longer receive an encryption icon that indicates secure data transfer when surfing a website using a Symantec certificate.
How long is a certificate valid?
A certificate accepted by browsers is not valid forever. Each SSL certificate has an expiration date, which is between 3 and 24 months. In this case, the website operator must renew the certificate, otherwise, the corresponding pages will no longer be considered particularly secure.
Although regularly renewing certificates can be both time-consuming and costly for website operators, it is still necessary. User security can only be guaranteed if authentication authorities regularly check the integrity, identity, and encryption mechanisms used.
There are several ways to encrypt data transfers. Typically, you need a key to encrypt something and the same key to make the message readable again. However, this method doesn’t really make sense on the Internet, because Internet users often come into contact with people or organizations that they have never communicated with before. Therefore, SSL certificates use a different procedure.
In a public key infrastructure, you create not just one key, but two keys: a fully public key and a private key. A message is encrypted with the public key and can only be decrypted with the private key. It is then the public key that the browser receives via the certificate and uses the encryption. There are different methods of encoding information. Here too, the web server provides the browser with the necessary information via the certificate.
For example, AES (Advanced Encryption Standard) with the cryptological hash function SHA256, is a commonly used encryption method, but as hackers and cryptography experts are constantly working to identify vulnerabilities in encryption mechanisms, the standards change regularly. A method that was considered infallible last year can quickly be weakened and thus be considered dangerous later.
What are the different types of SSL certificates?
There are several types of SSL certificates. Although there are different vendors with varying verification mechanisms, these factors are not the deciding criteria. Rather, SSL certificates are differentiated based on, among other things, the applicant’s degree of verification and the scope of the certificate range.
Verification
There are three types of verification. These differ not only in terms of processing time but also in terms of costs. While domain validation SSL certificates are now available for free, individuals and small businesses are rarely able to cover the cost of extended validation.
Domain Validation (DV)
Domain Validation (DV) is the first level of SSL certificates: verification of the person behind the website address is superficial. Often, the authentication authority only sends an email to the email address specified in the WHOIS entry. For example, the supplicant is prompted to modify a DNS entry or upload a specific file to a server in order to signal domain control.
The verification process can be fully automated and is therefore not considered secure by many. Some browsers, therefore, indicate a DV SLL certificate separately in order to signal the weaker security standards compared to other certificates. With this certificate form, you will not receive any other information about the owner of the website.
Organization Validation (OV)
OV SSL certificates, or Organization Validation, are next level in terms of security for Internet users.
As part of the validation, the certification body requests documents from the website owner, usually after the automated domain validation process has been completed.
The documents required depend on the organization of the applicant, for example, an extract from the commercial register is often requested. In addition, some authentication authorities contact the website operator by telephone.
OV SSL certificates thus offer more security to Internet users, as they are monitored more closely in advance to find out who is behind the website. They also offer the advantage of keeping this information visible to each user in the certificate itself.
Extended Validation (EV)
SSL certificates, offered under the Extended Validation label, offer the highest level of security. With this type of certificate, the domain and the organization are associated; moreover, the applicant himself is checked. It equally checks whether the applicant actually works for the specified organization or company and whether he has the right to apply for such a certificate.
In addition, the certification body must also be authorized to perform Extended Validation. To be authorized, the site must pass a review by the CA/Browser forum. It is a voluntary association of certification bodies and browser vendors.
Price: Free or Paid SSL?
In order to select an SSL certificate, the price is obviously an important criterion.
If we take this parameter into account according to the three types of verification, we can establish the following principle: the more extensive the control, the more expensive the certificate. Since 2015, the certification company Let’s Encrypt has been issuing certificates completely free of charge.
In March 2020, Let’s Encrypt had to retire over three million of its active SSL certificates. This was because an error in the open-source software, Boulder, used by the company, was caused by the verification of CAA ( Certification Authority Authorization ) records. In theory, this error made it possible to create certificates for other domains. The only solution for the people concerned was to have another certificate generated within 24 hours, in order to restore the encryption of their project.
Difference Between Paid and Free Certificates
If it’s just a matter of securing a website so that it can be accessible via HTTPS rather than an ordinary HTTP certificate, the free version is more than enough. Both solutions implement the SSL or TLS transfer protocol, making secure data transfer mandatory for clients and servers.
However, there are crucial differences between free and paid certificates:
- The level of validation: when a certificate is issued, the verification of the operator of the website is not very thorough, and is generally limited to the validation of the domain. Certificates with a higher level of verification are always subject to a fee.
- Validity: most paid certificates are valid for one or two years, while free certificates expire after 90 days at the latest. If you rely on free SSL/TLS, then you have to change the certificate much more often.
- Domain affiliation: a free SSL certificate can always be generated exclusively for a single domain, to which it is then linked. Paid SSL/TLS solutions also allow the use of cross-domain certificates for multiple websites
The advantages of paid SSL certificates
Paid SSL certificates offer several advantages over free alternatives. They are valid for longer and, depending on the provider and the package chosen, they can also be used for several domains. This not only increases flexibility but also requires less effort from the website operator. In the event of a problem, providers or certificate authorities offer personalized assistance by default, a luxury that users of free SSL certificates must do without.
Paid SSL certificates also have another major advantage: the indication of active HTTPS and the name of the company itself can indeed be indicated in the browser, provided that the appropriate provider and package have been selected.
What is the right price model?
A paid EV-certified SSL certificate is probably the ideal encryption solution for your web project. However, this type of certification can only be obtained by large companies, which in this case are also the target group. Nevertheless, cheaper certificates are in principle sufficient for typical SME websites, provided that no highly sensitive data is transferred, as is the case with online banks.
For small websites, in which data transfer plays only a minor role, free SSL certificates are a good alternative.
The scope
When requesting an SSL certificate, you should pay attention to its scope, including whether, for example, subdomains fall under the certificate.
Single-Name
A basic certification is only valid for one domain. This means that www.example.com and all subpages of this site are covered by the SSL certificate, but not the subdomains. If these should also be covered, you must either request another certificate or purchase a Wildcard certificate.
Wildcard
This certificate is so named because it works with a joker (wildcard). Instead of just entering www.example.com, for example, these SLL certificates also apply to all subdomains, i.e. also to mail.example.com or blog.example.com. It is emitted as a form: *.example.com. The asterisk symbolizes the wildcard.
Multi-Domain
Multi-domain certificates (also called SAN certificates) extend well beyond the scope of single-name certificates or Wildcard certificates. Many certification bodies offer their clients certifications covering up to 100 areas. For example, requesters with only one certificate can get both www.example.com and www.example.org. This is possible through a Subject Alternative Name Extension: an additional field in the certificate that contains all other domains.
How to recognize an SSL certificate?
If you’re using a current browser, you can easily tell if you’re browsing a website secured with SSL/TLS: just take a look at the address bar! There are two things that indicate encryption: first, a padlock symbol, and second, the address must start with https:// instead of http:// . The extra S has been added to the Hypertext Transfer Protocol. An additional layer of encryption has been added to the TCP/IP protocol stack between TCP and HTTP.
The padlock (usually green in color) is first and foremost an obvious signal emitted by your browser to indicate that the website you are visiting does indeed have a valid certificate. Also, and this is what many users misunderstand, there is a button that leads you to further information about website security. Click it to open a pop-up window with information about the certificate issuer, the encryption used, and the validity period.
If the website you are on does not have a valid SSL certificate, you will not see a green padlock or https:// in the address bar. Additionally, some browsers warn users of these websites when they attempt to transmit passwords or other sensitive data to the server. The program then warns them that the data could be intercepted by strangers. Remark
If a website does not have an SSL certificate, it is not necessarily a fraudulent website. However, the risk of malicious third parties stealing your important data is higher on these sites than on sites with SSL certificates. HTTPS is therefore almost essential, especially for the transmission of sensitive data.