In this article I will use the more accurate term SSL/TLS rather than just saying SSL You can find out more about the difference between the two in my article 'Why you should have an SSL certificate on all your web projects?' I do an in depth explanation there.
So let's start by explaining the certification authorities, or CA’s for short. Certification Authorities are entities that issue digital certificates. They certify ownership of a public key. Remember, this is what an SSL certificate does. It certifies ownership of a public key.
The most important thing is that we are going to tell them what URL we are going to use, and then we are going to give them a public key. And sometimes we will also have to pay a fee.
They will then in turn validate that this public key and this information matches and looks correct and we will return the certificate certifying ownership of that public key. It's a bit like notarizing an identity.
In the real world, you can go to a notary or a sworn official and ask him to legalize or certify document that you sign. You could bring your identification document with you so that he could see who you are and he guarantees that he saw you personally signing the document.
It's pretty much the same process here. The idea is to have a trusted third party who will vouch for that public key. Browsers will either keep a list of certificate authorities, their own list, or they'll borrow one from the operating system. And they will trust those CA’s, and since a CA has certified that particular URL has a public key, browsers know that they can trust that public key.
What has been certified is that a public key belongs to a particular URL. That's it!
It says nothing about the entity behind that URL. We don't know if they're good people or bad people. We don't know if their business is going well or if they are about to go out of business. All we know is that this public key is a legitimate key to this URL.
Most of them charge a fee for their services, in the same way that a notary may charge a small fee to authenticate a document for you. But there is a non-profit project called Let's Encrypt that provides you with free certificates.
Here are different types of certificates
1- Self-signed certificates
Self-signed certificates are certificates that have not been trusted by a certificate authority, but have been signed by you. They are vouched for by you, not a CA. This still allows you to perform encryption with them because they still have a public key attached. But what they lack is the trust of a third party. We don't have an external organization on the Internet that vouches for the fact that that public key belongs to that entity.
So if you try to visit a website that uses a self-signed certificate, the browser will display a security alert because it doesn't trust it.
So for a website that's certainly not what you want.
But why would you want to use a certificate that is not trusted by a third party?
They are especially useful when you have two systems that want to communicate with each other and already trust each other.
2- Single domain certificates
This is a certificate in which the public key is certified as belonging to a single website, for example: www.yoursite.com it is therefore certified only for www.yoursite.com and yoursite.com.
But suppose you want to have blog.yoursite.com or admin.yoursite.com this will not be possible, it will make you what is called a Wildcard certificate.
3- Wildcard certificate
It's exactly the same as a Single domain certificates, the only difference is that it allows you to use it on multiple subdomains.
4- Multi-domain certificate (Multi-domain certificate )
Again, it is the same type of certificate, except that it can be used for multiple domains. It can be used for yoursite.com, yoursite.ca and mysite.com. There is a variation on this point which is the UCC or SAN certificate. They are similar to multi-domain certificates, but they are mainly used for Microsoft Exchange and Office communication environments.
There are also differences in the level of domain validation and these have an impact on prices. But this is understandable because what is essentially different is the effort that the certification authority makes to validate the ownership of that public key. Simply put, it takes more money to do more work to validate that an owner is who they are.
Here are the different types of validations:
- Domain validation
It is the most common, it only certifies that the public key and the domain name of the website are linked. Usually, the way to do this is to send an automatic email to the website owner who is registered in the WHOIS database. So, he will send it to anyone who claims to be the owner of that website, and if he can receive that email and respond to it, then that is sufficient proof of ownership. Another option is that they're going to ask you to put a data file, usually .txt, on the website because if you own the website, you should be able to put the data file on the website and then they can see it publicly.
- The validation of the organization
As you can imagine, this includes everything included in the domain validation, but in addition it also confirms the authenticity of the organization by checking the company databases for articles of incorporation and confirming the physical address of the company.
- The extended validation
Extended Validation does the same type of validation as Organization Validation, but they take an extra step to validate the organization.
If you want to physically contact given company/organization you have to dial their phone number. All you have to do is verify that someone is answering the phone at that location and that the company is who they say they are. And that's all you do, just check to make sure that someone answers the phone and says yes, it's the right company. One of the advantages of extended validation, however, is that many browsers display it differently when you go to a site that has extended validation. They'll put a nice big green bar at the top and they might even put the company name instead of the URL. This can make them much more reliable.
So which one should you choose?
Every priest preaches for his own choir. So in general the certifying authorities want to sell you the most expensive option they have, trying to sell you a lot more than you need.
If your goal is to encrypt your communications or prevent browsers from complaining to your users, simply choose simple domain validation. If your goal is to reassure your customer as much as possible, then choose extended validation, or choose the middle ground which is organization validation.
More validation always builds your customers' confidence at the moment. On the other hand, if the extra cost of more validation makes you hesitate, then you certainly don't need it.
If you need help with your web security needs contact us here and our experts will be happy to help you.
Share your SSL/TLS related adventures with us in the comments?
Was this article useful?