SSL stands for Secure Sockets Layer and, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).
It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.
TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from DigiCert you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.
HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.
Introduction to SSL
An SSL certificate is installed on the server side but there are visual cues on the browser which can tell users that they are protected by SSL. Firstly, if SSL is present on the site, users will see https:// at the start of the web address rather than the http:// (the extra “s” stand for “secure”). Depending on what level of validation a certificate is given to the business, a secure connection may be indicated by the presence of a padlock icon or a green address bar signal.
Google now advocates that HTTPS, or SSL, should be used everywhere on the web and, as of 2014, the search engine has been rewarding secured websites with improved web rankings, another great reason for any site to install SSL.
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. When you buy an ‘SSL’ certificate from DigiCert, you can of course use it with both SSL and TLS protocols.
Levels of business authentication
As well as encryption, Certificate Authorities (CAs) can also authenticate the identity of the owner of a website, adding another layer of security. The SSL certificate is then used as proof of the company’s identity. Certificates can be divided into three authentication groups, based on the level of authentication, which are:
These vary slightly in purpose and function. It’s worth knowing a little more how each of them works before deciding which is the most suitable.
1. Domain Validation SSL Certificates
These require businesses to prove their control over just the domain name. The certificate contains the domain name that was supplied to the issuing authority as part of the request. Because the identity of the organization is not checked here, Domain Validated certificates are the most basic level of SSL certification, and are only appropriate for test servers and internal links.
2. Organization Validation SSL Certificates
This requires the applicant to not only prove they own the domain name they wish secure, but also prove that their company is registered and legally accountable as a business. The issued certificate is then proof of domain and company name. This level of authentication is suitable for public-facing websites that collect personal data from site users. Note that individuals cannot obtain such certificates, only organizations and businesses.
3. Extended Validation SSL Certificates
Extended Validation SSL helps protect users from providing their details to fake website which can be used by criminals for phishing. EV SSL requires both of the above validations for domain and company as well as several additional verification steps related to proving that the SSL certificate belongs to a registered company. This extra company information is then represented in the issued certificate on the address bar and can be accessed from many web browsers by clicking on the padlock icon. When visiting a site with EV SSL many browsers exhibit a green address bar as a highly visual sign of trust in the website and business to handle personal information. This type of certificate is also available to organizations and businesses only.
How does an SSL certificate work?
The basic principle is that when you install an SSL certificate on your server and a browser connects to it, the presence of the SSL certificate triggers the SSL (or TLS) protocol, which will encrypt information sent between the server and the browser (or between servers); the details are obviously a little more complicated.
SSL operates directly on top of the transmission control protocol (TCP), effectively working as a safety blanket. It allows higher protocol layers to remain unchanged while still providing a secure connection. So underneath the SSL layer, the other protocol layers are able to function as normal.
If an SSL certificate is being used correctly, all an attacker will be able to see is which IP and port is connected and roughly how much data is being sent. They may be able to terminate the connection but both the server and user will be able to tell this has been done by a third party. However, they will not be able to intercept any information, which makes it essentially an ineffective step.
The hacker may be able to figure out which host name the user is connected to but, crucially, not the rest of the URL. As the connection is encrypted, the important information remains secure.
1. SSL starts to work after the TCP connection is established, initiating what is called an SSL handshake.2.The server sends its certificate to the user along with a number of specifications (including which version of SSL/TLS and which encryption methods to use, etc.).3. The user then checks the validity of the certificate, and selects the highest level of encryption that can be supported by both parties and starts a secure session using these methods. There are a good number of sets of methods available with various strengths – they are called cipher suites.4. To guarantee the integrity and authenticity of all messages transferred, SSL and TLS protocols also include an authentication process using message authentication codes (MAC). All of this sounds lengthy and complicated but in reality it’s achieved almost instantaneously.
How to know if SSL is needed
The fact that Google is pushing for HTTPS across the web and prioritising sites that have an SSL certificate probably indicates just how much SSL is needed, but here are some other top reasons for getting an SSL certificate.
Secure purchases
According to Business Insider 74% of shopping carts are abandoned but up to 64% can be recovered with better checkout security and flow. Many of these 64% are more likely to complete a purchase if they know the checkout area is secure. That’s not a number businesses can afford to ignore. Even if they’re only using SSL for their checkout area, it’s well worth it.
Offering memberships
If sites offer membership or anything that involves collecting email addresses and other sensitive information, then SSL is a good idea. It’s always sensible to keep customer information as safe as possible.
If forms are used
The same applies if they use any kind of form where users will be submitting information, documents, or images. It is surprising how much information is collected about a site’s visitors, so it’s worth keeping it safe.
If it’s simply a blog or a standard ‘info only’ kind of site, HTTPS can help to protect the security of sites, reducing the risk or tampering and intruders injecting ads onto the page to break user experience. Plus, it really can’t hurt in terms of search engine rankings.
Does SSL work across all devices?
In short, the answer to this question is yes it does. Of course, there are some configurations that will not work 100% so it is can be valuable to talk with the Certificate Authority’s sales team if unsure.
Devices and operating systems
Again all of the big operating systems for computers, tablets and mobile phones are supported. However, in the case of mobiles, it might be that some older devices won’t support newer SSL or TLS protocols so it’s worth doing the research to ensure maximum compatibility. The SSL certificate provider can help with this if there are any doubts.
Browser compatibility
People use a range of different browsers (Chrome, Firefox, Safari etc) to access web content. Just as sites are created to work on all browsing platforms, SSL/TLS from a reputable provider will also work in 99% of cases. Unless users are accessing the site from very niche browsers, all the big names will be covered.
Servers
Thanks to the way SSL works, servers don’t really need to have root certificates embedded but you will need to install the corresponding intermediate certificate(s). As long as the certificate is installed correctly, it can be supported by any server. It’s up to the browser to determine if it’s trusted or not during the handshake process.
Key Services and Features
Learn more about how our services help extend security on your website beyond SSL.
- Vulnerability Assessment
- Malware Scanning
- Strongest Encryption Algorithms
- FATCA Compliance
What are the visual implications of SSL?
As we’ve referred to a number of times throughout this guide, it is often the visual impact of an SSL certificate that has the biggest effect on users and potential customers. But how exactly does this work and what visual form will an SSL take on a site?
As with any purchase, online or not, most people will be more likely to buy from a reputable dealer. Certificates to prove authenticity or expertise in a certain field go a long way to making customers feel more secure.
That’s exactly the visual impact an SSL certificate can have on potential clients. SSL and TLS are the industry’s best and most accepted standards of security and certificates should be proudly displayed where everyone can see them.
First of all, it will appear in the address bar. The site’s pre-x will be https:// rather than the http:// and users are more frequently insisting on the difference.
The presence of the padlock icon in the address bar is also a big indication of safety. It reassures customers that their connection is secure and encrypted. And, as we’ve mentioned, it can make people more likely to complete a transaction.
By using the most secure form of certificate – the Extended Validation SSL certificate – the company name appears in green in the address bar. It’s another sure-re way of letting customers know that it’s 100% legitimate.
Lastly, many SSL certificates come with a seal image, which can be used on the site to display the brand of SSL which is being used. Let customers know that their security and information is protected and they’ll be far more likely to trust the site with their cash. Research from 2013 shows that DigiCert SSL’s SSL seal is the most recognized on the web.
What is an SSL Connection Error?
An SSL connection error occurs when the page being accessed has some security issues. They occur for users’ protection, interrupting access to inform them that there may be some security concerns if they progress.
They can take a number of forms, often differing with the choice of browser. In some instances, the page may go red with the https:// pre-x also highlighted in red. Using Google Chrome, there are a number of messages that users might see appear on their screen. These include ‘your connection is not private’ or simply that ‘this webpage is not available’.
It might be as the result of outdated security code on the website and doesn’t necessarily mean that the site being accessed is suspicious, but users should take connection errors seriously, especially if they are not 100% sure about the destination site.
Whilst there are ways to circumnavigate SSL connection errors, it is strongly recommended that users don’t.
If in website development trials it is found that the site is suering from SSL connection errors then it is imperative to do something about it quickly. This may involve updating the security settings or simply acquiring a more adapted SSL certificate. This will help browsers to establish that the site is secure and allow users to access it without safety warnings.
Does SSL Work on Email?
Most of the big email providers use SSL encryption to encrypt users’ mail. In most cases, the SSL option will be automatically checked in email settings. To retrieve mail that has flagged up an error message the user may have to uncheck this option.
If the account where users retrieve mail supports SSL then they can select this option to have data sent through a secure connection.
If a company is setting up its own email service the IT team may need to check with their provider that they are also secured by SSL. This will eliminate security problems when sending out mail shots and individual mail.
How to implement an SSL certificate on a site
Depending on how a site is hosted and where, there are various ways of adding an SSL certificate. In some cases, if there’s an ecommerce element on the site, it will be a requirement to have a certificate. Major hosting providers often offer hosting packages including SSL certificates.
It may also be possible to transfer an existing SSL from other hosts (exporting it from the original server and importing it on the new server). It will be necessary to follow the special instructions on the webhoster’s site. Note that some Certification Authorities require you to purchase a server license for each server that will host the certificate.
SSL Summary
SSL is an important security tool for business and one that is playing an increasing role in the success of online transactions. It’s really not that complicated to buy and install, and help is available along the way with many SSL providers.
An https:// pre-x and padlock icon are just a few clicks away and can have a big impact on business; increasing sales, building consumer confidence and boosting web rankings all with one industry standard certificate.
Credit: Source link
