Guide To All Things SSL: Secure Sockets Layer Past, Present and Future
SSL makes the interaction or connection between your website and the user’s browser secure. Any information or data sent between the two whether as a loaded webpage, form submission or download is encrypted during the transmission process.
SSL does not prevent your website from being hacked or attacked in any way. SSL only encrypts and secures transmissions between the website and the browser.
Simply put, that little “s” in the browser after the “http” means the connection to the browser and website is secure and any data transmitted whether purchase details, download or survey is encrypted and secure.
Google prefers secure websites and offers better search engine rankings to sites that are secured with an SSL certificate. That’s good enough reason to get one right there!
Origin Story of SSL
Everything has an origin story (even the toothpick). The story of how SSL came to be begins back in 1994 when Netscape first started testing the original version.
SSL 1.0 had serious issues and was never released to the public. By mid 1995 Netscape fixed the problems and released SSL Version 2.0.
But Why Did We Need It?
The mid 1990s gave rise to Ace of Base and Boyz II Men, but also to the need to secure data transmitted between a website and the user’s internet browser. This is known commonly as transport security. The exchange of information between the two platforms caused a security hole that fraudsters and hackers could (and were) already getting to know.
So We’re Using That SSL Today?
No. The SSL we use today, including the SSL certificates you need to secure your site, are actually not Secure Sockets Layer. That was discontinued, but the name stuck and is still used to this day.
SSL is a strong marketable name with a built-in level of consumer confidence, but these days SSL is just a name. Now SSL is actually TLS or Transport Layer Security.
What’s The Difference between TLS and SSL?
TLS (the new SSL) is safer and more secure and considerably faster. It was first introduced as a base-level upgrade to SSL Version 3.0 in 1999. The new upgrade was superior, and the technology used was more advanced. By 2015 SSL 3.0 was fully deprecated and TLS took its place.
TLS offered a number of technical improvements over SSL, including:
- The addition of cipher-suite-specified pseudorandom functions (PRFs)
- Addition of AES cipher suites, which is considered the base requirement of military-grade encryption
- The removal of IEA and DES cipher suites, which were outdated.
- Integrated protections against Cipher Block Chaining (CBC) attacks.
- Removal of SHA-1, MD5, RC4, DES, and 3DES all of which were considered unsafe legacy technologies.
- Encryption of SNI information for better privacy.
- The inclusion of a new signature standard (RSA-PSS).
- An optimized single round-trip handshake process requiring less resources (meaning fewer opportunities for data theft) between the site and browser.
Example Of A Common Attack Without SSL
A hacker gains access to your server through a vulnerability or hole in any number of places and leaves an undetectable tiny listening application behind. The program monitors silently in the background and once a visitor starts typing information on a contact form or checkout page, the application captures every keystroke and sends it to the hacker.
This type of common hack is known as a man-in-the-middle attack because it intercepts everything without your knowledge. It takes advantage of your site and the trust your visitors and customers have in your brand.
With SSL this type of attack is easily prevented because all data that your customer types into any form on your site is secured and transmitted in encrypted format. The man-in-the-middle agent can’t read any of it. The attack is foiled.
Types Of SSL Certificates
SSL certificates are broken down by the level of validation and encryption or by the number of domains secured.
There are essentially two types of secure certificates; encryption and validation and domain.
Each certificate type has three classifications or options:
- Encryption and validation certificates offer domain, organization/individual or extended validation.
- Domain certificates are available in single, multidomain, and wildcard.
When you apply for a certificate, it’s processed by a Certificate Authority (CA). Ever wonder who they are? Don’t bother looking for them. The CA is specially designed software to analyze, run and grant secure certificates.
As with most things in life, it all comes down to validation and the process used to get there. To what level is the site validated, meaning how trustworthy is the site? How much effort did the CA (that impressive software) go through to validate the subject information?
Let’s look at the validation options, in order of trust and validation (least to most expensive):
- Domain Validation (DV) is the lowest level of validation, and verifies that the certificate request was made by and for the domain owner.
- Organization or Individual Validation (OV) verifies the identity of the organization (e.g. a business, nonprofit, or government organization) of the certificate applicant. Individuals may purchase an Individual Validation proving the identity of the business owner or person when an organization is not involved.
- Extended Validation (EV), like OV, verifies the identity of an organization. However, EV represents a higher standard of trust than OV and requires more rigorous validation checks to meet the standard of the CA/Browser Forum’s Extend.
SSL Certificates Breakdown
You get what you pay for, most of the time. SSL certificates aren’t much different. A free SSL certificate through your host (including ServerWise) is fully secured and provides encrypted communication like any other, but it’s a domain-level validation, meaning no other information is required. It works, and it’s safe, but it’s limited. Although, it meets the needs of over 70% of websites and businesses.
Domain Validation (DV)
DV certificates are the lowest cost and lowest level of validation. They appear as the lock in the browser. They do exactly what their name suggests – validate the domain using only the domain name itself. As such, these certificates don’t include subdomains.
The process to get a domain validated certificate is straight-forward. You simply need to prove that you own the domain. During the sign-up process, the CA will email the address listed in the domain’s Whois record. Typically, the CA exchanges confirmation email with an address listed in the domain’s WHOIS record.
Alternatively, the ownership of the domain can also be validated by uploading a CA-provided verification file to the website or by adding a specific record (A or TXT) to the domain’s DNS.
Once control of the domain is confirmed, the certificate is created and released to the domain owner. This process usually takes only 5 minutes and pricing can be as low as nothing (free like the SSL certificates ServerWise provides to all clients) to $49.
Organization or Individual Validation (OV)
The middle tier, the OV or IV certificates, require more validation than just domain validated certificates, but provide more trust. With more trust often comes more buyer confidence. For these types, the CA will verify the actual organization or individual person that is attempting to get the certificate.
Obtaining this certificate is a two-step process. First, the CA will verify the owner of the domain (like with the DV certificates). Once confirmed, the CA will verify that the organization or individual owner of the domain is operating legally.
The site will have a lock in the browser, and the certificate will now include the actual name of the domain’s owner, whether an organization or individual.
OV certificates are frequently used by corporations, educational institutions and agencies to extend an additional layer of confidence and trust to site visitors.
OV or IV certificates cost $69 to $149 annually, depending on the issuing brand.
Extended Validation (EV)
The most expensive SSL certificate carries the highest level of validation and is best suited for e-commerce and large businesses. Individuals do not qualify for an EV certificate.
This certificate shows the padlock (like the other two), HTTPS and business name (like OI or IV) but also includes the business address.
The process to receive an extended verification certificate is, for lack of a better word, extended. Several documents must be provided that prove the business is legitimate and legal, along with one notarized letter from a Certified Public Accountant (CPA). Once you submit the requested information, the issuer will begin the verification and validation process. This process takes time and will include verifying each of the following:
- DBA Name (if applicable)
- Domain Ownership
- Identity of Signatory Authority – the name, title, position and signature of the person representing the company or organization who filed the documents and agreed to the terms and conditions.
- Legal Existence and Identity
- Operational Existence – typically this involves verifying that the company has an active account and is in good standing with a financial institution.
- Physical Existence
This certificate is the most expensive and time-consuming, with pricing from $300 to $650 a year.
A standard Domain Validation (DV) certificate secures only the main domain of the website: serverwise.com. If you use subdomains such as mail.serverwise.com, blog.serverwise.com or login.serverwise.com, a Wildcard SSL certificate may simplify things.
A wildcard is an extension of the DV, but also includes an unlimited number of subdomains on the website.
Pricing varies considerably based on the brand, with the average around $320 annually.
Multi-Domain or Unified Communications Certificate (UCC) or Subject Alternative Name (SAN)
Though it’s known by several names depending on which company or brand, this certificate provides the highest level of encryption on multiple domains.
Think of this as a specialty Extended Validation certificate that will automatically cover up to 500 domains. Most issuers support up to 100 domains, with a few providing support for up to 500.
This SSL certificate is commonly known as a “binder certificate” as it allows a domain owner to bind multiple different certificates including Wildcard SSL certificates into a mega certificate. This allows up to 500 Subject Alternative Names to be secured.
Below are some popular examples of domains one could secure with this single certificate:
Pricing varies heavily, as such, an average range is unattainable and would be unfair. The price will depend on the issuing brand of the certificate and quantity and type of add-ons, as all bound domains are in addition to the base certificate itself.
Where To Buy SSL Recommendations
We tested Smush Pro CDN, WPMU DEV and Bunny.net and switched to Bunny CDN with no regrets. Faster, flexible, no WordPress plugin required and cheaper. Let me explain. Keep Learning >
Building backlinks is often seen as a job to itself and in some ways it can be. But I’m going to walk you through a few actionable steps you can take starting right now to begin your backlinks building campaign and increase your site rankings. Keep Learning >