What is an SSL Certificate?

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are security protocols that enable secure communications between two machines. An SSL certificate is a small data file leveraging this security protocol to serve two functions:

1. Authentication – SSL certificates serve as credentials to authenticate the legitimacy of a website. Certificates are issued to a specific domain and web server after a Certificate Authority performs a strict vetting process on the organization requesting the certificate. Once issued the certificate provides information about the identity of a business or website and authenticates that the website they are on is a legitimate business and any information submitted will be secured.

2. Secure data communication - When SSL is installed on a web server, it enables the padlock to appear in the web browser and activates the HTTPS protocol to secure the connection between the web server to a browser. It does this by using encryption algorithms to scramble the data in transit into an undecipherable format that can only be read with the proper decryption key.

SSL and TLS are both cryptographic protocols used to create an encrypted connection and establish trust. TLS is an updated version of SSL that provides advanced encryption options including Elliptic Curve Cryptography (ECC), Rivest-Shamir-Adleman (RSA) or Digital Signature Algorithm (DSA). When purchasing certificate solutions from Comodo, customers receive the most up-to-date TLS encryption even though they are more widely referred to as SSL.

Web browsers only show the secure indicators for SSL certificates signed by a trusted CA, like Comodo. To become a trusted CA, a company must comply with and perform regular audits for the security and authentication process standards established by the leading browsers. When a trusted CA issues a certificate to an organization the browser will recognize the certificate as legitimate The browser lets the user know that the website is secure, and the user can feel safe browsing the site and even entering their confidential information.

Types of SSL certificates

There are many different types of certificates options available, all with their own unique use case and value propositions. The level of authentication assured by the CA is a significant differentiator between the types. There are three recognized categories of SSL authentication available: Extended Validation (EV), Organization Validation (OV), and Domain Validation (DV).

Domain Validation SSL certificates

DV certificates provide the quickest, easiest and most cost-effective way to receive industry-standard encryption. DV certificates require proof of ownership for the domain being secured and can be issued in minutes. Once installed DV certificates show trust indicators in browsers like the padlock icon and enables HTTPS. Because the legitimacy of the organization is not vetted, DV certificates are only ideal for internal sites, test servers, and test domains.

  • Validates control of a domain
  • Enables HTTPS and the padlock icon in browsers
  • Issued in minutes

Organization Validation SSL certificates

OV certificates are a step up from DV. To receive and OV certificate organizations must prove they own the domain they wish to secure and prove that they are a legally registered business. OV certificates also provide a dynamic site seal which displays the validated company information to a site visitor, along with the HTTPS and the padlock icon. These certificates can only be issued to a registered organization and not individuals making it more suitable for public-facing websites.

  • Validates control of the domain
  • Enables HTTPS and the padlock image
  • Authenticates the legitimacy of an organization adding an additional level of trust
  • Shows organizations details in the certificate information and in the dynamic seal
  • Issued in 1-3 days

Extended Validation SSL certificates

EV certificates provide the highest level of trust and are the industry standard for business websites. In addition to the trust indicators provided by DV and OV certificates, EV certificates activate the green address bar in web browsers, the most recognized symbol of a secured website security and consumer trust. When a website is enabled with the green bar it is instantly recognized as a legitimate site and safe to submit confidential data, such as credit card or customer login details. To receive an EV certificate customers must complete the same level of authentication for an OV certificate but also go through a stricter vetting process performed by a human specialist. Because of the additional validation requirements, EV certificates typically take 1-5 days to be issued, however by opting for a higher value EV certificate is more organizations are benefiting with a trusted website that leads to consumer confidence and more online conversions.

  • Validates control of the domain
  • Enables HTTPS and the padlock image
  • Authenticates the legitimacy of an organization adding an additional level of trust
  • Verifies the applicant has the right to request an EV certificate and is in good standing with the organization.
  • Shows organizations details in the certificate information and in the dynamic seal
  • Activates the green bar
  • Issued in 1-5 days

The level of authentication performed by the CA determines the class of SSL certificate along with the security indicators that show in the browsers. Because websites have multiple layers of pages, domains, and subdomains there are additional certificate types designed for today’s modern websites that apply the authentication type with feature set to secure unique web environments.

How do SSL certificates work?

SSL certificates use cryptography which relies on two types of keys for authenticating and securing data; a Public Key and a Private Key. The public key is used to encrypt information and the private key is used to decipher it. SSL works by making the public key available through the publically available website while the private key remains secured on the web server so that any data submitted from the website where the public key is located can only be deciphered by the owner of the website, therefore a secure 1:1 communication.

When a person visits a website with an SSL certificate a “handshake” occurs to create the secure channel between the user and the organization and protect any data submitted on the website from being compromised. Here’s how the handshake process works in real-time:

1. A person visits a website secured with SSL certificate on a web browser.

2. The browser sends a request to the web server to identify itself.

3. The server sends back a copy of its SSL certificate including type, validity period, and organizational details.

4. The browser checks whether it trusts the SSL certificate and sends an approval back to the server. If an SSL certificate is not installed, not up-to-date with the proper security protocols, or not a brand trusted by the browser the user will see a warning message in the address bar of the browser.

5. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.

6. Any data shared between the browser and the server is now secure. If a hacker intercepts the communication it will an encrypted with a cryptographic code that cannot be decrypted.

Comodo certificates offer ECC, RSA and DSA encryption algorithms that provide encryption options with a base standard of 2048 bit encryption, . customers with options for secure and scalable solutions. Comodo SSL certificates most commonly use RSA keys unless configured for ECC or DSA.

and the recommended size of these keys keeps increasing (e.g., from 1024 bit to 2048 bit a few years ago) to maintain sufficient cryptographic strength. An alternative to RSA is ECC. Both key types share the same important property of being asymmetric algorithms (one key for encrypting and one key for decrypting). However, ECC can offer the same level of cryptographic strength at much smaller key sizes - offering improved security with reduced computational requirements. Let's look at what ECC is and why you may want to consider using it.

Elliptic Curve Cryptography (ECC)

Creates encryption keys based on the idea of using points on a curve to define the public/private key pair. It is extremely difficult to break using the brute force methods often employed by hackers and offers a faster solution with less computing power than pure RSA chain encryption.

Use cases for SSL certificates

Millions of websites use SSL to secure credit card transactions, data transfer, login pages, and secure browsing on all websites including blogs and social media sites. Enabling HTTPS on all websites not only provides consumer trust that the website is legitimate and is safe to browse or transact on but it has now been mandated by the leading browsers such as Google Chrome. Websites without an SSL certificate display a ‘Not Secure’ warning in the address bar.

The growth of global websites, mobile, and internet connected devices has also expanded the use of SSL well beyond just ecommerce. Anyone who needs to securely share date between devices over the internet requires and SSL certificate. Here are the most common uses:

  • Securing online credit card transactions.
  • Securing web forms and customer logins.
  • Securing email and webmail applications.
  • Securing corporate communications through intranets, file sharing, extranets, internal servers.
  • Securing cloud based platforms and virtualized applications.
  • Securing file transfers over ftp.
  • Securing data transfer to and from mobile devices.

How can I tell if a site has an SSL connection?

If a website URL starts with HTTPS:// and there is a padlock in the address bar, then the website is using a secure TLS/SSL connection.

Why SSL is important?

The primary importance of installing an SSL certificate is to initiate a secure session between a web server and a browser. Once a secure connection is established, all information passed between the web server and the visitor will be kept private and encrypted

Other SSL advantages:

  • Improves customer’s trust. The little padlock assures customers that their information will not be compromised. The data will be sent to the intended target servers, and it will not be redirected to unauthorized third parties. Before getting your certificate, the CA will verify your authenticity as it only distributes SSL certificates to genuine companies and businesses.
  • Protects information against phishing attacks. Phishing sites are fraudulent copies of famous websites whose purpose is to trick you into submitting valuable information like your credit card or social security numbers. Phishing sites often have the same look and feel as the original site, but the website address is different and it is usually not secured with an SSL certificate. PayPal.com, for example, is a popular target for these fake, copy-cat phishing sites. Extended validation certificates protect you against phishing attacks by showing the full business name of the website owner in the address bar. Phishing site operators cannot obtain an EV certificate due to the extensive validation requirements.
  • Better search engine rankings. HTTPS is now considered as a ranking signal by one of the biggest search engines in the world, Google. If you’re doing optimization, you should consider getting an SSL certificate to help boost your rankings, especially for ecommerce sites.

How does SSL work?

The following is a step-by-step outline of the SSL connection process:

  • A user requests a web address beginning with https:// using their internet browser. The browser requests that the server identifies itself.
  • The server replies by sending a copy of its SSL certificate, which includes its public key.
  • The browser checks the certificate root to find if it belongs from a trusted CA. It also checks if the SSL certificate is unexpired and unrevoked. Moreover, it checks if its common name is valid for the website itself.
  • Once the browser confirms that it can trust the website, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
  • Now, the server decrypts the symmetric session key using its private key.
  • In return, the server sends back an acknowledgment encrypted with the session key to start the encrypted session.
  • Now, all data transmitted between the server and the browser is encrypted.
SSL

Who issues SSL certificates?

SSL Certificates are issued by a Certificate Authority (CA), along with other digital certificates. They confirm the identity and ownership of the business or company applying for the certificate. These issued certificates are chained to a trusted root certificate owned by your chosen CA. Trusted root certificates are embedded in a “certificate store” in popular web browsers such as Firefox, Chrome, Internet Explorer, and Safari.

Whenever you visit a website which uses an SSL certificate, your browser checks that the certificate is signed by one of the trusted roots in its store. If it isn't, it will warn you that the connection is not secure. Everybody else who visits your site will also see an error message. This is why we recommend purchasing an SSL certificate only from a trusted CA.

How do I implement SSL on my site?

Setting up SSL on your website is easy! In general, these are the 3 simple steps for installing your new SSL certificate.

  • Purchase a certificate issued by a trusted CA

    Trusted Certificates can be bought from your web-host or direct from a trusted CA. Certificates from a trusted CA will be recognized by all popular internet browsers used by your visitors (Chrome, Firefox, Internet Explorer, Safari etc).

  • Activate and install the certificate

    If you bought your certificate from your web-host then they can do this step for you. If you are managing the site yourself then the two steps you need to complete are to generate a certificate signing request (CSR) and then to install your certificate. We have a range of documents to help complete both tasks on different web server software in our knowledge base.

  • Convert your whole site to HTTPS

    After installing your certificate on your target pages, why not modify your site so that all content is served securely? The internet is fast moving towards a default HTTPS for every page, and Google is even giving websites better search ranking if a page is served over HTTPS.