Are SSL certificates important for your website?
Do they change anything security-wise?
What is an SSL certificate?
In most peoples minds SSL certificate is that it’s the technology that triggers the little padlock or green bar at the top in their web browser.
An SSL certificate indicates that the web page uses the HTTPS protocol for secure communication.
To communicate on the web the most basic and historic way is to use the HTTP protocol.
Using an SSL certificate adds the ‘S’ to the end of HTTP to turn it into HTTPS, which stands for “HyperText Transfer Protocol Secure” which is really just the secure version of HTTP.
SSL certificates existed for a long time, but it was used to encrypt sites with financial transactions and sensible information.
But with the development of the internet and the many confidential information we share online have fact that over time most websites have started to use the HTTPS protocol as well.
How Does an SSL Certificate Work?
It certifies ownership of a public key, in other words, someone saying, YES , I will validate that this organization, this URL, owns this public key. So all of that organization’s basic information, as well as some technical details, like the type of encryption used, will all be placed in a certificate file.
In general we have the organization, the URL, the country, but also the period of validity of the certificate, the idea is to know the information of the person who has a public key.
An SSL certificate file, is usually a file that ends in .crt or sometimes .cer. However, the contents of this file will not be easily readable by you. If you open one of these files, you’ll see something that might look like this.
This image is an encoded version of all the information associated with a public key, so a receiving person or an organization can decode it.
This practice is just a way to compress it and make a machine-readable code that can be easily interpreted well on the internet.
Certificate authorities are entities that issue digital certificates. They certify ownership of a public key.
Remember, that’s what an SSL certificate does. It certifies ownership of a public key.
Most importantly, we’re going to tell them what URL we’re going to use, along with some other information as mentioned above, and then we’re going to give them a public key. And sometimes we will also have to pay some fees.
The CAs will then in turn validate that this public key and information matches and looks correct and we will return a certificate certifying ownership of this public key.
It’s a bit like notarizing an identity. In the real world, you can go to a notary or sworn attorney and ask them to notarize or certify a document that you are about to sign.
You could bring your ID and original documents so he can confirm who you are, as well as the authenticity of your documents, and he can certify that he saw you and sign the document.
It’s pretty much the same process here. The idea is to have a trusted third party who will vouch for this public key.
Browsers will keep a list of certificate authorities, either their own list or they will borrow one from the operating system. And they will trust those CAs, and since a CA has certified that a particular URL has a public key, browsers know they can trust that public key.
But remember, this does not mean that you are dealing with a legitimate entity just because it is certified.
What has been certified is that a public key does indeed belong to a particular URL. That’s all !
It does not say anything about the entity behind this URL. We don’t know if they are good or bad people.
We don’t know if their business is doing well or if they are on the verge of bankruptcy. All we know is that this public key is a legitimate key for this URL.
Most charge a fee for their services, much like a notary may charge a small fee to authenticate a document for you.
But there is also a free option, a non-profit project from a huge community Let’s Encrypt that provides you with free certificates
The Different Types of SSL Certificates
Self-Signed Certificates
Self-signed certificates are certificates that have not been trusted by a certificate authority, but have been signed by you. You are responsible for this, not a certification authority.
This still allows you to encrypt with them because they still have a public key attached. But what they lack is the trust of a third party.
We do not have an external organization on the Internet that vouches that this public key belongs to this entity.
So if you try to visit a website that uses a self-signed certificate, the browser will definitely show a security alert because it doesn’t trust it.
But why would you want to use a certificate that is not trusted by a third party?
They are especially useful when you have two systems that want to communicate with each other and already trust each other.
Single Domain Certificates
It is a certificate in which a public key is certified as belonging to a single website, for example: www.oshara.ca so it is certified only for www.oshara.ca and oshara.ca.
But suppose we want to have estimatemyapp.oshara.ca this will not be possible, because we will have to use a Wildcard certificate which can be used on all our subdomains, as is the case here.
Wildcard Certificate
This is exactly the same as a Single Domain Certificate, except that it allows you to use it on multiple subdomains.
Multi-Domain Certificate
Again, it’s the same type of certificate, except it can be used for multiple domains. It can be used for oshara.ca, and osharainc.com. There is a variation on this which is the UCC or SAN certificate.
They are similar to multi-domain certificates, but they are mainly used for Microsoft Exchange and Office communication environments.
The Different Types of Domain Validation for an SSL Certificate
There are also differences in domain validation levels and these have an impact on prices.
But that’s understandable because what’s essentially different is the effort the CA puts into validating ownership of a public key. In other words, it (the CA) is asking for more money to do more work to validate that an owner is who they say they are.
Here are the main different types of validations:
- Domain validation
It is the most common, it only certifies that the public key and the domain name of the website are linked.
Generally, the way to do this is to send an automatic email to the website owner who is registered in the WHOIS database. So he will send it to anyone who claims to own this website, and if he can receive and respond to that email, then that is proof enough of ownership.
Another option is that they are going to ask you to post a data file usually .txt on the website because if you own the website you should be able to put the data file there which they can then see publicly.
- Validation of the organization
This includes everything that is included in domain validation but in addition it also confirms the authenticity of the organization by checking the company’s databases for articles of incorporation and confirming the physical address of the organization. ‘business. This validation can be issued up to 2 days after the start of the process.
- Extended Validation
Extended validation does the same type of validation as organization validation, but they do an extra step to validate the organization.
In general A human contacts the company by published telephone and could even speak to several people. One of the benefits of extended validation, is that many browsers display it differently e.g. totally green in the browser URL.
They’ll put a nice big green bar at the top and they might even put the company name instead of the URL. This can make them much more reliable. Of course this type of validation takes longer and could take up to 10 days.
How to Choose the Right SSL Certificate?
Since each priest preaches for his parish. Each certification authority wants to sell you the most expensive option in general trying to sell you a lot of advantage but thinking about your real needs is the best way to decide.
If your goal is to encrypt your communications or prevent browsers from complaining to your users, just choose Simple Domain Validation. If your objective is to reassure your client as much as possible, choose extended validation, or depending on the size of your company and the use of the web project, choose the happy medium, which is organization validation.
More validation builds trust with your customers. On the other hand, if the additional cost of more validation makes you hesitate, then you certainly do not need it.
Why Use an SSL Certificate for your Web Projects?
An SSL certificate is recommended for all web projects, even if it is a one-page website or an internal web application. Here are some reasons:
Protection Against Hackers
As long as technology exists, hackers will also exist. And they are dredful as they are improving their web attack techniques day by day.
When you communicate you want it to be secure, in the web talking about secure communication means that we are talking about confidentiality and data integrity.
The fact that a malicious individual cannot intercept your data, see what is sent through the browser, nor can he modify it while it is in transit should be the wish of any serious company or individual on the web.
Without an SSL certificate, all data exchanged online such as credit card information, password etc. can be easily intercepted.
Trust in Your Brand
Will you do business with an individual or company you don’t trust? I doubt your answer is YES.
Without SSL certificates on your web project, your users are the first to know about it on their first visit to your website. Because the browser would show them different notifications as below:
Would you prefer to sleep in an open-air forest full of wild and hungry animals or in a house protected by security guards in the same forest?
In any case I will choose the house, yes I prefer not to imagine myself as a meal
For several users (I admit that I am one of them) here is how it feels on a website without any ssl certificate
With an SSL certificate you send a message from a responsible company that takes its visitors seriously.
Whitout it, well, it seems rather that you do not consider your own brand enough and even less your visitors and that the effort to install an SSL/TLS certificate is too much for you.
Certificates tell us something about the identity of the person who owns a particular public key.
And beyond that, they also tell us something about the reliability of that person. Now, there are all sorts of identity and reliability issues, but that’s a whole different story.
Google and SEO
The web giant Google has inevitably changed the game in the field of web security. First of all In January 2017, Google Chrome made a change and started marking all HTTP pages, i.e. insecure pages, which have a password or credit card field, as unsafe, just to give an important warning.
“Hey user, this web page where you are about to enter your password or credit card is not a secure page.”
In October 2017, they took another step forward, and they started marking all web pages with a form on them as not secure, and also, if you thought you were in private mode, and you could browse privately, they also marked these web pages as not safe on their web browser in private mode.
That’s not all, in July 2018 they decided to mark all HTTP pages as insecure. Their general purpose is to help users understand that HTTP sites are not secure.
Then they decided that if your web page is not HTTPS, you should be ranked in the lower priority sites in online search results.
And in reality, they are not the only ones, all other search engine robots such as Bing, Yahoo, etc. have all done the same.
It’s not Expensive and Sometimes Even Free
With Let’s Encrypt you no longer have financial reasons not to bring SSL certificates for your web projects because it is totally free.
Let’s Encrypt is a project of the Internet Security Research Group, a consortium supported by many of these big tech companies, which was launched in April 2016 with the goal of having all web servers use the HTTPS protocol.
Implementing HTTPS has never been easier than it is now.
Then for paid solutions you with ssls.com which offers rather interesting prices and many others do it.
It is Faster
This factor is also a key factor in terms of SEO, and the speed of loading pages in HTTPS is better than in HTTP.
TLS or SSL?
Actually saying SSL is a bit of a misnomer because everything we talked about above is actually TLS.
TLS, or Transport Layer Security, is considered a superior and far more widespread version of SSL.
Even though TLS has been around now for five times longer than SSL, no one really uses SSL to communicate anymore, they do use TLS, but we still call them SSL certificates.
Most commonly these are SSL certificates, but some people call them SSL/TLS certificates. Some people just call them TLS certificates.
Others try to avoid including the protocol and just call them digital certificates. Either because they certify the public key, you may see them called public key certificates, or because they certify the identity of the person who owns the public key, you may see them called identity certificates.
These are all valid names, they are all interchangeable. However, SSL is the most common name you will see in the market, but you should recognize them all and understand why these different names exist and they are the same thing.
The primary purpose of a certificate is to be used with encryption. This is so that we can encrypt communications and communicate securely between two different computers, usually a browser and a remote server.
Conclusion
To recap the SSL certificate protects your data, confirms your identity, improves your SEO and improves your brand image and all this for free if you wish.
The most widespread and standard method is to go through a certification authority or CA in short form. SSL certificates are not valid forever, fortunately, so they are only certified for a certain time and they are certified by an issuer.
With an SSL certificate you protect your users or visitors, your data and of course yourself.
If you need help with installing SSL certificate to your website or anything concerning website development and maintenance, please contact us today. We run the best web agency in Montreal and we can surely help you!