What is an SSL Certificate?
An SSL (Secure Sockets Layer) certificate is a bit of code on your web server that provides security for online communications by creating an encrypted connection between your web server and your visitors' web browser.
The SSL certificate has two specific functions:
1. Authentication and Verification: The SSL certificate has information about the authenticity of certain details regarding the identity of a person, business or website, which it will display to visitors on your website when they click on the browser's padlock symbol or trust mark. The vetting criteria used by Certificate Authorities to determine if an SSL certificate should be issued is most stringent with an Extended Validation (EV) SSL certificate; making it the most trusted SSL certificate available.
2. Data Encryption: The SSL certificate also enables encryption, which means that the sensitive information exchanged via the website cannot be intercepted and read by anyone other than the intended recipient. It's kind of like sealing a letter in an envelope before sending it through the mail.
An SSL certificate is only reliable when issued by a trusted Certificate Authority (CA). A CA builds its reputation by following very strict rules and policies about who may or may not receive an SSL certificate. An SSL certificate from a trusted CA leads to a higher degree of trust by your customers, clients, or partners.
How Do I Know That a Site Has a Valid SSL Certificate?
There are several ways that visitors can tell if a website has a valid SSL certificate and that their transactions are being encrypted.
1. A standard website without SSL security displays "http:// " before the website address in the browser address bar. This moniker stands for "Hypertext Transfer Protocol," and is the conventional way to transmit information over the Internet.
However, a website that is secured with a SSL certificate will display "https://" before the address. This stands for "Secure HTTP."
2. You will also see a padlock symbol on the top or bottom of the Internet browser (depending on which browser you are using).
3. Often, you will also notice a trust mark displayed on the website itself. Examples are the Norton™ Secured Seal, the Thawte Trusted Seal, and the GeoTrust True Site Seal. When you click on the seal or the padlock symbol, it will display details of the certificate with all the company information as verified and authenticated by the CA.
4. If the website is utilizing Extended Validation SSL (EV), the authenticated organization name is prominently displayed and the address bar turns green. If the information does not match, or the certificate has expired, the browser displays an error message or warning.
Where Would I Use an SSL Certificate?
- The short answer is that you should use an SSL certificate anywhere that you wish to transmit information securely. Here are some examples:
- Securing communication between your website and your customer's Internet browser
- Securing internal communications on your corporate intranet
- Securing email communications sent to and from your network (or private email address)
- Securing information between servers (both internal and external)
- Securing information sent and received via mobile devices
Encryption Protects Data During Transmission
In the same way that you lock and unlock doors using a key, encryption makes use of keys to lock and unlock your information. Unless you have the right key, you will not be able to "open" the information.
Each SSL session consists of two keys:
- The public key is used to encrypt (scramble) the information.
- The private key is used to decrypt (un-scramble) the information and restore it to its original format so that it can be read.
When a web browser points to a secured domain, a level of encryption is established based on the type of SSL Certificate as well as the client web browser, operating system and host server's capabilities. That is why SSL Certificates feature a range of encryption levels up to 256-bit.
Strong encryption, at 128 bits, can calculate 288 times as many combinations as 40-bit encryption. That's over a trillion times stronger. To enable strong encryption for the most site visitors, choose an SSL Certificate that enables 128-bit minimum encryption for 99.9 percent of website visitors.
Follow a Secured Transaction, Step by Step
1. When a browser encounters SSL, the following steps occur:
2. A browser attempts to connect to a website secured with SSL.
3. The browser requests that the web server identify itself.
4. The server sends the browser a copy of its SSL Certificate.
5. The browser checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
6. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
Encrypted data is shared between the browser and the server.
Trust Seals Show the World That You're Secure
A trust seal is a logo that you display on your website to verify that you have been validated by a particular certificate provider and are using their SSL certificate to secure your site. Examples of trust seals are:
Trust seals are most effective on pages where customers are about to enter their personal information, such as a shopping cart page. They can also be displayed on every page to help build customer confidence.
Examples of effective trust seal placement:
1. Your Home Page
Make it easy for customers to trust you by posting the trust seal near the top of your home page where visitors will see it without scrolling.
2. Next to Action Buttons
Turn website visitors into customers by giving them the confidence to sign-up, share, and shop online. Display the trust seal where customers submit or enter information online.
3. Pre-Payment Pages
Give customers the confidence to pay online instead of calling or mailing in their order. If your payment pages are hosted by a 3rd party, post the trust seal before payment pages where they browse products or select services.
4. Your Professional Identity
No matter what page your customers visit, show them that your organization and website have been verified by the Certificate Authority displayed in the footer of every page.
When you request an SSL certificate, a third party issuer verifies your domain ownership and (depending on the type of SSL certificate) your business information before issuing a unique certificate to you with that information.
Certificate Authority (CA)
A Certificate Authority is an entity that issues digital certificates to organizations or people after validating them. Certification Authorities keep records of the SSL certificates they issue and the criteria they used to issue it. They are audited regularly to make sure that they are following defined procedures. Because the CA vouches for the your authenticity, trust in a certificate can depend a lot on the reputation of the CA who issued it.
Certificate Management Console
Certificate Management Console centralizes the management of SSL certificates for the purposes of installation, revoking and reissuing. Some provide reports, enabling businesses to reduce risk, costs, and operational inefficiencies.
"Un-scrambling" information and put it back in its original format.
Domain Validation (DV)
A Domain Validated certificate is considered a basic-level SSL certificate and can be issued quickly. The only verification check performed is to ensure that the applicant owns the domain (website address) where they plan to use the certificate. No additional checks are done to ensure that the owner of the domain is a valid business entity.
Information is "scrambled" so that it cannot be used by anyone other than the person for whom it is intended.
Express renewal automates the renewal process, eliminating the need to generate a new CSR and to reinstall the SSL certificate.
Extended Validation (EV) SSL
Extended Validation (EV) SSL certificates offer the highest industry standard for authentication and provide the best level of customer trust available.
When consumers visit a website secured with an EV SSL certificate, the address bar turns green (in high-security browsers) and a special field appears with the name of the legitimate website owner along with the name of the security provider that issued the EV SSL certificate.
It also displays the name of the certificate holder and issuing CA in the address bar. This visual reassurance has helped increase consumer confidence in e-commerce.
A mathematical formula, or algorithm, that is used to encrypt or decrypt your information. In the same way that a lock with many different combinations is more difficult to open, the longer the length of the encryption key (measured in number of bits), the stronger the encryption.
Malware scanning reviews the public web pages under your hostname to detect malicious code.
Organization Validation (OV)
Sometimes called Business Validation. Taking slightly longer to issue, these certificates are only granted once the organization passes a number of validation procedures and checks to confirm the existence of the business, the ownership of the domain, and the user's authority to apply for the certificate.
Similar to a wildcard certificate, the SAN (Subject Alternative Name) or UC (Unified Communications) SSL certificate allows you to add up to a 100 domain names to a single SSL certificate.
For example, you can secure all these domains with a single SAN certificate:
SAN may also be used for:
Servers within your intranet by name (example "server.local" or "faxtool")
Hostnames (example - mailserver)
SAN is an optional feature that you can add to your single-server SSL certificate.
A service offered by Symantec SSL that puts the Norton™ Secured Seal next to your link in search results of browsers enabled with security plug-ins, as well as on partner shopping sites and product review pages.
Server-Gated Cryptography (SGC)
Even though an SSL certificate is capable of supporting 128-bit or 256-bit encryption, certain older browsers and operating systems still cannot connect at this level of security.
SSL certificates with a technology called server-gated cryptography (SGC) enable 128- or 256-bit encryption to over 99.9 percent of website visitors. Without an SGC certificate on the Web server, browsers and operating systems that do not support 128-bit strong encryption will receive only 40- or 56-bit encryption. Users with certain older browsers and operating systems will temporarily step-up to 128-bit SSL encryption if they visit a website with an SGC-enabled SSL certificate.
Also called a Trust Mark. A seal issued by a Certificate Authority to an entity to a business or entity's website for display. Trust seals confirm a business's identity and demonstrate to customers that the business is concerned with security.
Vulnerability assessment is an automatic scan of public-facing web pages looking for critical vulnerabilities and security issues.
A domain name is often used with a number of different host suffixes. For this reason, you may employ a Wildcard certificate that allows you to provide full SSL security to any host of your domain.
For example, you can secure all these subdomains with a single Wildcard certificate: www.mybusinss.com mail.mybusiness.com email.mybusiness.com