In the spirit of making the digital world a safer place, all websites are required to install a trusted SSL of face the consequences of search engine de-ranking and user warning about your unsecured website. This blog aims to look at the basics of SSL, how they work and why we use them.
What is an SSL?
SSL digital security has become a normalised product on most websites and applications. SSL or Secure Socket Layer encrypts a session (link) between a user and the server/website.
SSL certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner. Once a connection is established, aka, a Secure Handshake, a third key called the session key takes over and secures the data being transmitted to and from the website and server.
Normally when a website sends or receives information it is in plain text. SSL encryption stop third parties from spying on a session and possibly stealing valuable information or data.
If you don’t have the certificate, a secure connection cannot be established, that means, your company information will not be digitally connected to a cryptographic key.
How to get an SSL?
The first step is to create what is called a Certificate Signing Request (CSR) on your server. Each type of server has a specific set of instructions that can be found here. By creating a CSR you have produced a private key and public key on your server. Your sever will allow you to download what is called a CSR data file that you send to the SSL provider (commonly known as a Certificate Authority or CA). The CSR only contains the public key that is used to create a data structure to match your private key.
When you get An SSL
Once you receive the certificate from the Certified Authority, you install it on your server. You actually install three certificates, the root certificate, the intermediate certificate and the server certificate. Each server has their own SSL installation guide.
Can anyone create an SSL?
Yes, anyone can create an SSL, but the critical element of SSL is trust. Therefore, browsers only trust certificates that come from a list of trusted CAs, known as the Trusted Root CA store. All Certificate Authorities must comply with rigorous security and authentication standards and are regularly audited by the browsers to ensure compliance. If you use an SSL not on the Trusted Root CA store, most browser will not recognise it.
Why does every website need an SSL?
Starting in July 2018 Google launched the change in Chrome that any websites that were considered unsecured, or do not have a trusted SSL installed, would be served with “Not secure” warning in the browser’s address bar by default. In addition, a landing page would warn users of the insecure session before allowing them to proceed.
In addition, Google also announced that they would penalise any website in search rankings that has not installed a trusted SSL. This is a good move for internet security and has forced many businesses to secure their websites and protect their customers data; however, if you launch a website without a certificate it could have serious consequences.
There are many different types of certificates:
Domain Validated (DV) SSL
This is where the CA validates the Certificate by cross referencing the organisations details with what is listed on the domain names whois. This means that SSLs can quickly be deployed without long and extensive check and reviews. While convenient, the DV are what are often used in fraudulent websites as there is no organisational check that the company applying for the SSL exists or is in fact the company listed in the certificate.
Organisation Validated (OV) SSL
OVs SSLs are for website that are used for everyday use and where high level of trust is not required. The CA will check its databases to ensure that the company listed in the application is correct and will require a company email to authenticate the application. OV SSLs are best for website and applications that don’t exchange sensitive data or information, but still want to establish credibility and trust with users.
Extended Validation (EV) SSL: An EV is not about a high encryption grade, rather the validation process the CA undertakes to confirm the company behind the SSL application. An EV is an extended validation process that include a whois check, a business registry check, an email authentication (or phone call) and an organisational authentication. The EV comes with a green bar or lock that assures consumers that the website is authentic and safe.
The EV is used where sensitive and/or financial information is exchanged online and consumers need a higher guarantee of protection.
Unified Communications Certificates (UCC)
Unified Communications Certificates (UCC) are also considered Multi-domain SSL certificates and were initially designed to secure Microsoft Exchange and Live Communications servers. Today, any website owner can use these certificates to allow multiple domain names to get secured on a single certificate. UCC Certificates are organizationally validated and display a padlock on a browser.
Wildcard SSL Certificates
Wildcard SSL certificates can secure a domain name and an unlimited number of subdomains. Wildcards are general to the go to these days and come with an asterisk * as part of the common name, which represents any valid subdomain that has the same base domain.
How can brandsec help?
brandsec have years assisting brands accross Australia obtain and install their digital certificates. We also provide SSLs at no extra cost of the CA and provide a renewal service to ensure they do not expire. Find out more about our SSL services here.
Brandsec is a corporate domain name management and brand protection company that look after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.