Secure Sockets Layer (SSL) is a protocol that encrypts and authenticates data between networked machines. Think of visiting a secure site, such as your online bank account. Having that kind of sensitive information online requires security protocols to keep your information safe.
To keep your information secure, your information is encrypted on your bank’s server. The data is sent to your computer only after a successful SSL handshake has been performed. A SSL handshake occurs when a user sends their credentials (username and password) to the server.
Once the credentials check out, the user is presented with their bank information. The process of checking to make sure the user is who they say they are is known as authentication. After the user is authenticated, the browser session is then encrypted via SSL, and the information can be exchanged between server and computer safely.
Why do we have to go through authentication and encryption? Can’t we just send a request to the server and get our information back?
In theory, yes we could just set up direct requests and responses between server and computer. Remember, as fun as the internet is, it can also be a scary place for personal data. By encrypting the session, we can be assured that any unauthorized parties will not have access to our data.
Authentication is another step in added security. By ensuring a user’s username and password match what is stored in the web app’s database, we can be sure the user is who they claim to be. Once they are cleared for access, the data is encrypted before being sent to the user, which protects sensitive information from prying eyes.
With the rise in confidential information running the daily risk of being compromised, SSL encryption has become a necessity.
SSL Secured Websites
How do we know the sites we visit are secured? Looking at our browser, an icon of a locked padlock to the left of the address bar is one way. Another way is if the address begins with an https:// protocol. The “s” indicates a secure connection.
Securing a website via SSL requires the domain owner to go through a publicly trusted certificate authority (CA). The CA validates the domain owner’s credentials and upon approval issues a certificate to be installed on the server. This certificate is implicitly trusted by web browsers and operating systems.
Now that the CA has issued and signed the certificate, the handshake process as described above is set in motion. When that handshake is successfully implemented, the user can now confidently send private information such as credit card numbers or social security numbers through the encrypted session.
Types of Certificates
There are a few different certificates available from a CA. For encryption and validation certificates, there are extended validation, organization, and domain. There are certificates available by the domain number and are single, multidomain, and wildcard.
The extended validation certificate offers the highest level of encryption. An extended validation domain will display the padlock icon, the https:// protocol, and the country where the business operates. This option is highly recommended for businesses handling web payments or the exchange of confidential information.
With the extended validation certificate, the domain owner must prove they are authorized to own the domain. Once approved, the browser will display the padlock icon and https:// protocol in the address bar. Users then know that the site is legally collecting their data and encrypting it to the highest security standards on the web.
As you might assume, this high level of security also comes with a more expensive price tag. For smaller businesses or organizations with less financial resources, an Organization Validated certificate may be a better fit.
Organization Validated Certificate
The Organization Validated certificate provides a level of encryption just below the Extended Validation certificate. It validates the organization by first verifying the owner of the domain. Once the owner is proven to be authorized, the CA then checks that the organization is operating legally.
If these two conditions are met, the Organization Validated Certificate will provide a moderate level of encryption. The icon in the address bar will be a green padlock. This certificate is recommended for organizations that don’t require the heavy encryption of the Extended Encryption certificate.
Domain Validated Certificate
This certificate offers the lowest level of encryption and is the quickest to apply for. The Domain Validated certificate reviews the ownership of the domain. This process does not require the authentication of identity.
If your business or organization is a small operation and needs some encryption for a single domain, this option will work. It’s worth mentioning again that a site that receives sensitive information should be encrypted with the Extended certificate.
Single Domain Certificates
A Single Domain certificate refers to the amount of domains and subdomains encrypted with a single certificate. As the name implies, only a single domain, and no subdomains are covered here. This option works for entry-level encryption services.
Multi Domain Certificates
Multi Domain Certificates cover up to 100 domains and subdomains with a single certificate. These certificates are also called Unified Communications Certificates. Any level of encryption can be configured with these certificates.
Most companies that need multiple domains to be encrypted are usually the same companies that would benefit from the Extended Validation certificate. An important note with a multi domain certificate is that each domain must be registered to the same owner.
Wildcard certificates cover a domain and multiple subdomains with one certificate. This is a less expensive option than obtaining a single certificate per domain. With this option, you could encrypt your main domain and then the subdomains related to your main domain.
This option works for domains that have a blog or mail subdomain connected to the domain. This certificate would encrypt the domain and the blog and mail subdomains with a single certificate.
In this introduction, we learned what SSL is and how it is used. We then covered the types of SSL certificates and the use cases for each. Now that the concepts of SSL certificates are more familiar, you can investigate further.
Remember, to obtain a certificate, it must be issued through a certificate authority. These are readily found by using your search engine of choice. The type of certificate largely depends on what type of information will be shared with your domain’s server.
With the options available, you can now start to consider which may be right for you.
About us: Career Karma is a platform designed to help job seekers find, research, and connect with job training programs to advance their careers. Learn about the CK publication.