As more and more people transact online, cyber-crime increases by the day. At the moment, it is estimated that cyber-crimes are responsible for the loss of up to $450 billion every year. As such, any business that has an online presence must take steps to ensure the privacy and security of its customers’ data as they transact online.
SSL is a network security protocol that helps ensure the safe transfer of data over the internet. As such, it needs to be one of the many security features that your website needs in order to be secure.
Here’s what you need to know about the SSL certificate.
What is SSL?
Standing for ‘Secure Socket Layers,’ the SSL protocol was originally designed by Netscape. It refers to the process of encrypting the data that is passed between a user and a server so that a third party cannot hijack the connection and decipher the information.
As such, an SSL certificate could be thought of as a digital passport that verifies the credentials of the parties between which the data is being sent. If both parties are able to prove their identities, SSL allows a secured connection through HTTPS.
This process is enabled by certificate. The key aspects of an SSL certificate include:
· The owner’s name
· Serial number of the certificate used for identification
· The expiration date of the certificate
· The certificate’s public key that is used to encrypt information
· The certificate’s private key that is used for decrypting the information
The Benefits of SSL
Using an SSL encryption allows you two primary benefits:
· Through heavy encryption, it secures any data that passes between your computer and a website server.
· It verifies that the website has both an authenticated as well as an updated security certificate.
The importance of data security cannot be overstated. Especially for sites that collect sensitive information such as bank or credit card information as well as usernames and passwords. Any website that collects such data must have an SSL encryption. Failure to do so predisposes the website to hack attacks where data can be intercepted and stolen en route.
In addition to having an SSL certificate, verification of its authenticity is equally as important. There are a number of companies which provide SSL certification. Nevertheless, certification and verification do not always come cheap and easy. A site that is applying for high-assurance SSL certification needs to provide:
By the time this process is complete, the website owner usually has incurred significant costs. This is why websites that are used for cybercrime do not have highly secure SSL certificates. It would be incredibly difficult for them to pass the inspection. Additionally, the inspection is costly, and those websites are in the business of stealing money, not paying it out.
Companies that inspect the authenticity of a website are known as Certificate Authority companies, and they are highly unlikely to issue a high-assurance SSL certificate to a non-reputable site.
Types of SSL
As mentioned earlier, SSL is a certification of encryption and verification. As such, there are different types of SSL, with each serving a slightly different purpose.
These certificate types are an indication of the level of trustworthiness of a website. Additionally, they require varying levels of validation to obtain. They include:
Domain Validated Certificates
Also known as DV certificates, they are the most affordable type of SSL certificate. As you can imagine, they do not have the most stringent requirements. All the certificate does is check the domain name registry against the certificate. Due to the low level of requirements needed to obtain these certificates, many ‘scam’ websites can get them quite easily. This is because DV certificates do not go through the rigorous background and validation inspections that other certificates need.
It is for that reason; therefore, that most Certificate Authority companies do not provide DV certificates, they consider them to be too low security or even unsecured. Nonetheless, a site with a DV certificate will still have the lock symbol that is supposed to be an assurance of safety. Thus, this is why you should do further inspection to verify the kind of certificate the site has. A website that needs your personal information should have more than a DV certificate.
DV certificates, however, are okay for websites that limited security concerns, as those kinds of sites do not usually allow for individual user accounts, thus do not collect usernames or passwords.
Organization Validated Certificates
These are SSL certificates that entail a more stringent validation process in order to obtain. As such, they are more expensive than DV certificates. Additionally, and unlike DV certificates, organization validated (OV) certificates meet the ‘Request for Comments’ standards that are set by the Internet Engineering Task Force as well as the Internet Society.
Sites must exchange validation information and a Certificate Authority company might even contact the company directly in order to verify that information.
Upon checking the certificate information, you should be able to see the name of the website as well as who has verified it. However, it will not allow you the owner’s information.
An example of a website that uses organization validated certificates is Wikipedia.
Extended Validation Certificate
Also referred to as an EV certificate, it represents the highest level of validation and assurance in SSL certificates. As such, in order to obtain an EV certificate, you will need to go through an extensive process that is both rigorous and costly.
Sites that have an EV certificate are the only ones that get the green bar validation which you can see in their site’s name in your browser. Unfortunately, not all browsers are able to display the EV green bar. It is only available for these browsers:
· Google Chrome
· Internet Explorer 7.0+
· Firefox 3+
· Safari 3.2+
· Opera 9.5+
Thus, even though older web browsers might not be able to display the green bar, it does not mean that it is not present. Users of older browsers will need to check the certificate information in order to verify the validation level.
EV certificates are the most secure and trusted type of SSL certificate. Thus, even though most websites can get by with an OV or DV, you should not trust any website that collects information from you unless it has an OV or EV certificate.
Nevertheless, there are sites which usually direct the user to another website in order to complete a transaction. Sites such as PayPal tend to use external services for their payment system. This way, they do not have to buy their own EV.
Issues with DV and OV Certificates
Even the far majority of Certificate Authority companies do not offer Domain Validated certificates; some do. And because DV certificates do not usually require extensive background checks and validation, some ‘scam’ website owners might purchase these certificates in order to give off the illusion of authenticity.
Unfortunately, there is no other way of distinguishing between an OV and DV certificate other than perusing the certificate’s information for details. This is why websites that are keen on maintaining their reputation usually use EV certificates.
To check out the details of a website’s certificate, simply click on the lock symbol and then press ‘More Information.’ There, you will find the ‘View Certificate’ option. Click it to check out the details.
How to Tell If a Website Uses SSL
Determining whether a site uses SSL encryption is not that difficult. Upon connecting to a website, the first ‘handshake’ between your browser and the server usually entails a verification process to see whether the website is using an SSL encryption. You will be able to see this through:
· The site’s address displays as an HTTPs site
· A lock symbol that sits either to the left or right of the HTTPs.
Moreover, some sites can even have their company’s name appearing with the lock symbol. In fact, websites that have the Extended Validation (EV) SSL certificate usually have their company name displayed next to the address bar.
When SSL is Necessary – and when it isn’t
Is the SSL encryption always necessary? If you have been wondering, then the simple answer is no. This encryption is not mandatory for all websites. However, if you come across a site that requires you to fill in any type of personal information, that website should have at least an OV certificate. The encryption ensures that a third party will not be able to intercept and steal data passing between your browser and the site’s server.
Also, the more personal the data being passed between you and the site’s server, the higher the validation and assurance level that site should have.
If you are running a website that collects data or information from users, you must utilize some sort of high-level encryption service. With the average cost of a cyber-attack per organization in the U.S. being around $6.5 million, you cannot afford to be lackluster in your security efforts.
An SSL certificate allows you a high level of security. If you are a consumer, be sure to check out the kind of certificate that a site is using before handing out any personal data. Ideally, you should only transact with sites that have OV or EV certificates.
Got any more questions about SSL certificates? Let us know, and we will be glad to fill you in.