Deep Dive – What are SSL certificates and why do you need one?

28 Mar 2023, by Slade Baylis

Back in 2017, Google decided to make a change to their Chrome browser to display a “Not Secure” message in the URL bar for any website that didn’t have an SSL certificate.  Even prior to this change, Google was rewarding those sites that had SSL certificates by giving them a slight SEO boost, bumping up their website in the Google search results.  This reward could also be seen as a penalty for those who didn’t have an SSL certificate, as without it, one’s site may not even have been visible to new visitors in the first place!

With this “Not Secure” message still appearing and the SEO penalty still being in place today, it’s important that your website has an SSL certificate even if you’re not going to be accepting sensitive information from visitors.  In fact, since that time in 2017, it’s become the norm for all websites the internet over to be secured via SSL certificates - regardless of their function or the types of information they collect.  With the increased availability of free certificates, there is practically no reason to not have your services secured with some form of SSL. 

But what are SSL certificates?  When and why were they developed?  What problems do they aim to solve and which type should you use?  In this article we aim to answer all of these questions and more.

What are SSL certificates and why are they important?

When you’ve gone to your favourite website, have you ever noticed the term “https” displayed before the website name in your address bar?  Sometimes this term isn’t displayed at all and instead only a lock icon is shown, or in some cases this lock also has the word “Secure” next to it.  Whilst seeing that lock symbol can put your mind at ease without needing to know any technical details, what each of these are evidence of, is that the website you’re visiting is using some form of SSL security to secure your communication.

SSL stands for “Secure Sockets Layer” - which is a security protocol that’s used to establish an encrypted connection between a web browser and a web server.  It was first developed back in 1995 by Netscape - the developer of the once dominant, but now superseded internet browser of the same name – and was done so with the protocol for allowing the encryption of communications through the exchanging of public and private keys to create secure sessions.  Although it’s colloquially known as SSL and many still refer to it as such, in actuality, the protocol that is used in most cases today is known as TLS (Transport Security Layer) – TLS being a newer and more secure protocol when compared to its predecessor. 

Regardless of the protocol used, both are deployed for the same end result, which is to secure your connection to a web server.  They are able to ensure that the communication and data that’s sent between your device(s) and the web server that you’re connected to, are secure and thus unable to be snooped on by unauthorised third parties.  The most obvious case here is protecting your communication on insecure networks, where your network traffic may be able to be seen by a malicious person in the middle.  In fact, the name for this sort of attack is actually called a “man-in-the-middle-attack”.  Although we’d still highly recommend only connecting to networks you trust, in theory, a website that utilises SSL would allow you to connect without disclosing a lot of your communication to that malicious actor. 

In addition to protecting your information from malicious actors, and with regards to privacy more generally -  when connecting over SSL, even your ISP (Internet Service Provider) will have limited visibility over those communications.  One important caveat to this though, is that in both of these cases – that of your ISP or a malicious “man-in-the-middle” viewing your network traffic - some information would still be visible to them such as the domain and IP address of the server you are connecting to.  To obscure this information, additional external security services such as a Virtual Private Network (VPN) would need to be implemented.

How does SSL / TLS work?

Before we go into more detail about SSL & TLS, we’ll need to cover the basics of encryption – we won’t go into too much detail on it, but just provide a quick introduction and explanation of how it works.  In short, encryption is a security process that is used to scramble information in such a way as to make it unintelligible to people who don’t know the “trick” needed to decrypt it.  In some ways you can think of it as a puzzle that’s easy to solve if you know the solution, but hard to solve if you don’t.

Above: A cipher wheel, used to allow for encrypting and decrypting communication

Encryption has been used throughout human history as a way of preventing information from falling into the wrong hands.  For instance, within the Roman Empire during the 1st century AD, a relatively simple cipher - an algorithm used for performing encryption or decryption – was used to encrypt military and other official messages.  The cipher was called the “Caesar Shift Cipher” and involved shifting each letter within the message by a fixed amount in the alphabet.  Whilst it was relatively straightforward, due to the majority of Rome’s enemies being illiterate at the time, the cipher remained secure up until somewhere in the 5th and 9th century AD!

Source: Wikimedia Commons

Just like the more primitive forms used by the Romans, in SSL and TLS, more modern and harder to break methods are used to scramble communication so that the information is nearly impossible to decrypt by anyone other than the intended recipient.

As an example, at a high level, here is the process that is followed when you communicate with a web server over an SSL / TLS connection:

1. An internet browser or server attempts to connect to a web server secured with SSL.
2. The internet browser or server requests that the web server identifies itself via SSL.
3. The web server sends a copy of its SSL certificate in response.
4. The internet browser or server checks to see whether to trust the SSL certificate.
5. If it trusts the certificate, then it lets the web server know to proceed.
6. The web server responds with a digitally signed acknowledgment to start an encrypted SSL connection.
7. For future communication during the current session, data is shared between the internet browser or server and the source web server over an encrypted SSL connection.

The entire process detailed above is referred to as the “SSL handshake” and takes place near instantaneously each time you connect to a website secured with SSL.

What are the different types of SSL certificates?

Now that we’ve covered what SSL certificates are and gone over how they work at a high level, next comes the question of what to do if you want to use them for your own website or server.  In most cases this will be straight forward – most hosting providers offer some form of free SSL certificate for hosted websites, and paid standard SSL certificates are relatively easy to purchase and install.

However, there are a range of different SSL certificates available and each have different validation methods - so which one should you choose?  To be able to answer this - we’ll first need to go over the different types that are available to choose from, and explain the difference between each validation method that exists.

The different types of SSL certificates that exist fall into the following three categories:

• Single-Domain – A “single-domain” SSL certificate only applies to a single domain, which is a website address such as “micron21.com” or “google.com”.
• Multi-Domain – A “multi-domain” SSL certificate allows for multiple different domains to be protected with a single certificate – they usually increase in cost for each additional domain that’s able to be protected.
• Wildcard – As opposed to the two above types, a “wildcard” SSL certificate is able to protect an unlimited amount of sub-domains, as well as the primary domain above them.  A sub-domain is a prefix that’s added to a domain name, which allows you to host separate websites or applications under a new address without needing an entirely separate domain, such as "domains.micron21.com". 

With each of these SSL certificate types, there are multiple different types of validation methods available, with each having their own set of advantages and disadvantages.

The different types of validation methods are:

• Domain Validation (DV) – This is the entry-level validation and often the default with most providers. It’s the cheapest option and the quickest to complete, only requiring simple validation through methods such as email, DNS, or uploading a file to the domain’s website.
• Organisation Validation (OV) – The next level up above DV is OV (Organisational Validation).  With this validation method, the certificate issuer/authority reaches out directly to the person or business requesting the certificate in order to verify their identity before issuing the certificate.
• Extended Validation (EV) – The highest level of validation is EV (Extended Validation).  With this level, a full background check is completed against an organisation before a certificate is issued for them, with the intension of ensuring that only legitimate organisations have EV certificates issued.

One of the advantages of the more extensive types of validation is that each tier comes with a higher “warranty” than the last.  Lower tiers, such as those that come with DV validated certificates, usually have warranties in the tens of thousands, whereas higher tiers can have warranties covering a million or more in damages.  In fact, one of the main things that differentiates free SSL certificates from paid SSL certificates is that the latter comes with a warranty, whereas the former does not. 

The SSL certificate warranty offered by these providers covers any damages incurred by end-users that occur due to improper issuance of an SSL certificate to a fraudulent entity.  However, it’s important to know that this doesn’t cover fraudulent scams like phishing websites.  In cases of phishing - where websites attempt to trick users into believing they’re on a different website than they actually are – the website could use a deceptive domain such as “paypal.scam.com” and have a valid SSL certificate at the same time.  What the warranty covers is any damages caused by the Certificate Authority mistakenly issuing an SSL certificate for a domain to an entity that doesn’t own that domain.  For example, if they were to issue an SSL certificate for the domain “paypal.com” to an entity that wasn’t PayPal.

Lastly, we come to multi-year SSL certificates.  In the past, it was relatively common for users to purchase SSL certificates that spanned multiple years, requiring that users renew them every two, three, or even more years.  Whilst these multi-year SSL certificates are still available, due to the changes implemented by Apple and Google within Safari and Chrome respectively, certificates with validity older than one year aren’t supported.  This means that in most cases multi-year certificates won’t be an option for securing web-facing services.

So, with all that said, which type of SSL and validation method should you use?

As with most things, the type of SSL and validation method that’s best will vary based on each situation and your requirements.  The choice of which type to use will largely be a financial and practical one.  How many domains do you have to secure?  If it’s many, then using a multi-domain certificate rather than several single-domain certificates could be more cost effective.  Do you have multiple sub-domains to protect?  If it’s only a few, then several single-domain certificates could still be the cheapest option, but if it’s many, then a wildcard may be better from a cost and management perspective.

When it comes to the available validation methods, the decision will largely come down to what level of warranty you are looking to have.  If your use-case will include more sensitive information, such as handling confidential user data, it can make sense to use more intensive validation methods to acquire higher levels of warranty - in fact, it can be a requirement in some industries!

In the majority of cases though, a single-domain SSL certificate that was issued using domain-validation will be fine for securing the connection and offering a small amount of peace of mind to visitors through its included warranty. 

With regards to free SSL certificates, they are becoming increasingly commonplace – this is largely due to the fact that they are being included as a free extra with most hosting providers.  For example, on our own Shared Web Hosting platform we provide free SSLs via the AutoSSL feature built into cPanel.  Free SSL certificates are able to achieve the same security sans any sort of warranty - so with Google not penalising free SSL certificates with negative SEO, they’re an easy way of increasing your security and preventing your SEO from being affected without any additional cost.

Have any questions about SSL or want to purchase one for your own website?

If you would like to look into securing the traffic to your website, let us know!  You can call us on 1300 769 972 (Option #1) or email us on sales@micron21.com to find out more about the technology or purchase your own SSL certificate.