What Is SSL, How Does It Work, and How to Get One
“The world’s most valuable resource is no longer oil, but data”.
People used to doubt that headline just a few years ago. We communicate, we buy and sell, we subscribe, we make our living through the internet. We live another full-fledged life online – which creates the need for protection of our digital identities.
In real life, that need for security takes the form of keys, ID cards, and hand signatures.
Online, we have something called SSL – Secure Sockets Layer.
The web hosting industry touts the SSL certificate as a reliable, affordable and a necessity to gain the customer’s trust. The degree to which your website is trustworthy and secure greatly affects business growth.
There’s a variety of SSL offerings today, depending on how you’re using your website, the type of data you operate with, your budget, and so on. The use of SSL certificates is now commonplace. You will find the solution listed among the key criteria when researching the market and deciding on a hosting provider.
The use of SSL/TLS certificates has increased with over 20% since 2016. By May 2019, only 88.4% of websites use one. The growing demand for reliable and secure connection between a website and a customer’s web browser is expected to exceed the estimated numbers for the period 2019 to 2028.
What Is SSL
Secure Sockets Layer or SSL is one of the widely used cryptographic protocols that allows authentication, encryption, and decryption of data sent over the internet. It’s designed to secure the communication between web browsers and web servers – or between mail servers over the public network.
One “SSL session” normally consists of two algorithms – one for encrypting the transmitted data called “public key” and another for decrypting it – a “private key”. This cryptographic method is also known as asymmetric cryptography, where a pair of keys are needed to 1) authenticate and encrypt the information and 2) to allow decrypting it by the holder of the private key.
The most commonly used asymmetric algorithms are RSA and Elliptic Curve Cryptography (ECC).
With the RSA (Rivest–Shamir–Adleman) algorithm, a public key is generated to encrypt the information. That key can be distributed to everyone; however, the information can only be decrypted using the corresponding private key.
The rule states, the longer the length of the algorithm, the stronger the encryption. The downside here is it would influence the performance on the client’s end.
Although it is a relatively slow algorithm, RSA is widely used for secure data transmission. The algorithm itself is of great use for message encryption and digital signatures as it ensures the message authenticity. Web browsers, VPNs, and various other tools use the RSA algorithm to create a secure channel.
ECC is the next generation approach which requires smaller keys to provide the same level of security, compared to other non-EC cryptography methods. It is a powerful type of cryptography which ensures highest level of security, while keeping the performance intact – because of its short and fast keys.
This algorithm is applicable for key management, encryption, digital signatures, and pseudo-random generators, among others. Bitcoin also uses the ECC to prove ownership. The algorithm also provides signatures in the Apple’s iMessage service. Governments and institutions use ECC to ensure anonymity and secure internal communications.
Overall, it is a pretty big deal.
How SSL Came to Be
Historically, the SSL protocol’s very first version SSL 1.0 never reached release because of numerous security deficiencies. The next iteration SSL 2.0 appeared in 1995. Although improved, it also had several security flaws in the protocol. It was widely used until it was finally deprecated in 2011.
The next version came a year later, in 1996. It was a complete redesign of the protocol. SSL 3.0 was found vulnerable in 2014 and it was deprecated in 2015, which effectively marked the end of the SSL generation.
Surprised? I know I was when it happened.
The next generation cryptographic protocol is called TLS (transport layer security). Its newest version TLS 1.3 was released in 2018 and it provides significant improvements in terms of security and performance.
What Is SSL Certificate
After the mathematical algorithm in the core of the SSL protocol, let’s look from a more practical perspective.
When we’re using the public network, we need to ensure that the data we exchange is transmitted securely.
The SSL certificate is a piece of code, a digital file generated by specific SSL-issuing authorities. The certificate itself has two distinct functions: to authenticate and verify that the identity of a person or a business is indeed what it claims to be; and to ensure that data is encrypted and therefore secured while transmitting it over the public network.
The trusted SSL certificate authorities (CA) follow strict rules when issuing a certificate. Some of the most popular and trustworthy CAs according to a W3Techs survey from May 2018 are: Identrust, Comodo, DigiCert, GoDaddy, GlobalSign, Let’s Encrypt.
When you buy an SSL certificate from a trusted authority, you actually get a whole chain of certificates. The enhanced security you receive is courtesy of several different layers of certificates, all embedded in a single product.
Each certificate has a Certificate Signing Request (CSR). It is generated by the web hosting provider and it contains encrypted information about the name of the owner or organization, domain name, country, address, email, etc. The CSR also contains the public key of the website, while the private key is generated at the time of the CSR request.
The trusted certificate authority will then use the CSR to issue your certificate.
SSL Certificate Structure
Root certificates are at the top of the chain. They are issued by the CA and are build into the web browsers.
Intermediate certificates are issued by the root certificate CA. They issue the end user certificate or server certificate which gets installed on your hosting server.
To get the maximum level of security, which this chain of certificates provides, you need to properly install the intermediate and SSL certificates on your web server.
There’s a variety of certificates types available on the market. The most widely used today are Domain Validated (DV SSL), Organization Validated (OV SSL), and Extended Validation (EV SSL).
DV SSL is a basic level of certificate. It can only confirm that you are the owner of the domain name you wish to protect with an SSL. You only get it if you can provide proof of ownership, of course.
OV SSL requires not only proof of ownership of your domain name, but also some verification to confirm the existence of your business and your authority to apply for a certificate.
EV SSL is the highest standard in the SSL industry. The CAs follow strictly defined verification procedure before issuing one. They need to verify that you have exclusivity over the right to use your domain name, then conduct an audit of your entity, and confirm the validity of your business.
To ensure the highest level of security, most of the widely used web browsers use the latter EV certificates. Depending on the browser, you will figure out that a website uses the enhanced security certificate by the address bar turning green and displaying the name of the holder and the issuing CA.
Keep in mind that all SSL certificates provide exactly the same level of protection the OV and EV certificates serve as identity proof as well.
Regardless of their type, all SSL certificates have an expiry date.
What’s an Invalid Certificate?
You can be alarmed about the validity of your website’s SSL certificate in many ways – a security warning pop-up in the address bar or a specific error message when browsing the domain name.
There are quite a few possible reasons for that. So, what do you do in the case of an alert?
Check out the following cases:
1. The SSL certificate has expired.
Click on the padlock icon in the address bar and find the information referring to the expiration date. In case it has expired, you either need to renew with the current vendor or consider another one.
2. The SSL certificate has been issued for the wrong domain name.
Be very careful when ordering SSL certificates.
Whenever you apply for an SSL certificate, make sure to specify the domain name for which you need the certificate. Mispellings would result in having cryptographic protection for the wrong domain name.
It’s always better to indicate that the certificate should be generated for “www.yourdomainname” instead of simply “yourdomainname”. Many vendors such as Comodo SSL will secure both with a single certificate but not all issuing authorities do that.
In case you get a certicficate for “yourdomainname” but want to run it on “www.yourdomainname” there are some workarounds. Redirecting your website using an .htaccess file. For this, you’ll need to ask your web developer for assistance so that visitors browsing your website with and without the ‘www’ prefix are both establishing a secure connection to your website.
3. There may be issues with the certificate chain.
The intermediate certificate was not properly installed on the web server or it has expired. In such cases, it is best to refer to your web hosting provider to verify the installation has been done correctly.
Often, web hosts have dedicated SSL specialists, who are not part of the technical support team. That’s why such checks often take a bit longer than anticipated.
4. The certificate was revoked by the CA.
Finding that the issuing authority has put your certificate on their certificate revocation list (CRA) before the actual expiration date is a rather unpleasant experience. There may be various reasons to do so: improperly issued certificate, compromised private key, failure to comply with policy requirements, etc.
Revoking of your certificate will remove the secure connection to your website. It will display some error message, or it will become inaccessible. The revocation process is irreversible.
How SSL works and How It Creates a Secure Connection
When using the SSL protocol, the web server needs an SSL certificate to establish SSL connection. In other words, when you visit a website using a secure connection, your browser initiates a SSL handshake to the hosting server.
During this process, the client (browser) requests information about the website’s certificate from the server. In the case of a valid certificate, you will see the familiar green padlock icon in the address bar. Hosting Tribunal has one too.
This means a secure connection has been successfully established.
Why You Need SSL/HTTPS?
The use of SSL today is a genuine necessity.
An SSL connection ensures the transmitted data is authentic, integral, and safe from interception.
By using this encryption technology, you do more than just protect the sensitive data of your customers. You encourage your visitors to trust you with that information. (Which they need to give you in order to buy from you or subscribe to services.)
According to statistics from SSL Pulse, over 67% of the websites are secure in May 2019.
One important thing to remember is that the SSL HTTPS is also listed as a ranking factor. It has a small impact in terms of getting your web page to the top but every little bit counts.
Furthermore, Google Chrome marks websites using HTTP as insecure by displaying a message in the address bar. Now it’s not just about SEO – it’s also about your reputation as a serious business..
What Are the Most Common Attacks That SSL Can Save You From?
While SSL/TLS encryption is becoming the de facto standard for ensuring a safe connection over the internet, the malicious practices flourish as well.
Ther target is sensitive data, confidential communication, one’s reputation, unfair competition, intellectual property, and so on. According to statistics, the average cost of data breaches is expected to exceed $150 million by 2020.
Attacks against SSL could be related to interception, eavesdropping, malware, and others.
The Man in the Middle (MITM) attack is one of the most common cyber-attacks today. By looking for weak points in the network or getting access to SSL keys, attackers can monitor and listen to the communication between two parties.
Attackers can also steal a root key and issue their own certificates signed from the compromised CA. If you fail to validate your certificate from a trusted CA, you are at risk of such exploits.
A more sophisticated cyber-attack is the Advanced Persistent Threat (APT). It uses malware to steal SSL keys and certificates.
To prevent such attacks, make sure which systems use SSL, install new keys and certificates, validate them, revoke all affected and vulnerable certificates in the certificate chain.
Expiration of your certificate will also pose a threat of exploit of your data, so be sure to renew it on time. It will not only keep the trust of your customers, but it will also keep the malicious attempts at bay.
How to Get an SSL for Your Website?
You can get a free or paid SSL certificate from a certificate authority or you can generate your own. Depending on the type of hosting environment – whether you host your website on a shared, dedicated, VPS hosting server or you use your own server, the installation process varies.
Your web hosting provider should give you thorough instructions and will support you during the process. Some of them have even automated the process, so you can get it done in just a few clicks.
If you are hosting your domain yourself, the way to go about it is to buy the certificate from a trusted authority and install it yourself. Installing an SSL certificate on a web server requires that you first download the certificate files locally and configure your server to use it.
You will even find SSL installation diagnostics tools available online, which will help you verify the installation process was successful.
To verify that a connection to a website is secure, you need to look for an icon (a padlock) in the address bar. Depending on the type of certificate you use, the name of the CA will also be displayed in green in the address bar.
Furthermore, the data transfer protocol is also a key indicator – if it reads “https”, it means the connection is safe. Most providers will offer you a trusted seal (Comodo SSL) – a visual stamp identifying the CA that you can display somewhere on your web page. It speaks for security awareness and builds trust.
How Much Does SSL Cost?
The cost of your SSL certificate depends on many factors. The main differences come from the following:
- The type of verification you seek (domain, organization, extended)
- The features you would like to get (a green lock, a trust seal, display of the CA in the address bar, 24/7 support)
- The number of websites and sub-domains you would like to secure with one certificate
The cost for a standard SSL certificate for a single domain name can vary greatly. Such offerings start at around $50-70 (GoDaddy, Comodo SSL) to $399 (Symantec) per year. You will pay less if you decide to renew several yearly subscriptions ahead or to get a package deal of some sort.
Of course, there is also the free option, where you get a so-called “self-signed” certificate. It gives you the very same encryption you would obtain with a paid one. The downside of it is that since it’s not recognized by a CA, browsers will not trust your page and security alerts will be popping up, making it hard to create that special bond with your website visitors.
Possibly the best option for those who want encryption and nothing else is Let’s Encrypt.
What Is the Difference Between SSL and TLS (SSL vs TLS)?
Basically, Secure Socket Layer (SSL) is the predecessor of Transport Layer Security (TLS). TLS addresses the current vulnerabilities and provides more secure encryption. It’s better to think of TLS as an improvement of the SSL cryptographic protocol instead of trying to figure out pros and cons of SSL vs TLS and which one is better.
Things to Do Before Buying an SSL
Do your homework: educate yourself, research the market and make an informed decision. You can compare different offerings using the following criteria:
- Check the type of encryption offered
- Verify that your SSL is compatible across different browsers; another reason for you to choose a certificate from a trusted authority such as Symantec, GeoTrust, Thawte, RapidSSL, Globalsign, Comodo is that 99%+ of desktop and mobile browsers are compatible
- How quickly the certificate will be issued
- Free SSL management tool
- 24/7 support
- Option to reissue the certificate for free
- Money back guarantee
- Trust seal availability
Alright, now you know what SSL is and why you need it. Selling certain kinds of stolen data (such as customer credit card details) can be extremely profitable these days. Your customers know that and they won’t give their data to you unless you can prove you can protect it.
That’s what a decent SSL certificate does for you. Very rarely can you buy trust, but an SSL certificate comes close.
If you own a website (and especially if you’re doing business on it), find a legitimate provider and get yourself a certificate. It’s one of the easiest wins for your business.
That was it for today! See you next time!