SSL Certificates: What They Are, Why They're Important & Steps To Arm Your Website With One

If you've ever had to create or manage a website, you've probably come across the phrase "SSL Certificates". Or if you've noticed the page being flagged as "Not Secure" by your browser, that's your browser telling you that the website lacks SSL certificates. And when you see a lock in the address bar of the browser, then the website has SSL certificates.

ssl lock

If you are not familiar with the concept of SSL and the term “SSL Certificates” is totally foreign to you, take a few minutes to understand involved in this important internet technology (Also consider checking this perfect guide for cybersecurity certifications).

What is SSL?

SSL is an acronym for Secure Sockets Layer - a cryptographic protocol designed to provide security to communications that happen over a computer network. SSL protects data in transit by encrypting it.

Understanding encryption

You’ve probably heard stories about hackers who could read internet traffic simply by using something called a “packet sniffer”, a computer program, or a piece of computer hardware that can intercept and log traffic that passes over a computer network.

wireshark
Wireshark is a tool for analyzing data packets and can be used to read unencrypted traffic easily

Here's an analogy to help understand why encryption is needed. Let's say I wrote down a message on a piece of paper and had an address on it on where to deliver the message. Then I handed you that message and asked you to deliver it. If the message was in plain text anyone could read that message from the time it left my hands until it reached its destination. There's no privacy, no security regarding the contents of my message.

Encryption converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. In our analogy, the message would be encoded in ciphertext, something that could only be read by the person at its destination.

The evolution of SSL

In the early days of web browsers, Netscape Communications developed the original SSL protocols in 1994.

Technically speaking, the SSL protocol was deprecated with the release of TLS (Transport Layer Security) in 1999. TLS is defined by the Internet Engineering Task Force (IETF) standards, the same organization involved with many other internet protocol standards. 

TLS not only encrypts data in transit but it also requires a "handshake" between two authorized servers before it delivers its message. This is to verify that the message is being delivered to the proper destination.

handshake
Essentially, a handshake protocol is a deal to communicate while adhering to certain security standards.

Nonsecure sites that don't use SSL technology will show up in a web browser with a name starting with HTTP (Hypertext Transfer Protocol). A site is considered secure when the browser shows the site URL beginning with the HTTPS (Hypertext Transfer Protocol Secure) with a closed padlock icon to the left of the URL. The current protocol is technically HTTP over TLS.

Don't get confused by the use of the term SSL as it is used generically to refer to many different protocols used to secure communications between web browsers and their servers, and not always specifically referring to the actual SSL protocol but actually TLS.

What's in a handshake?

Every TLS connection begins with a "handshake" that determines just how two parties to an internet connection shall encrypt their communications.

The handshake determines what cipher suite, a pre-existing selection or kit of agreed-upon components, will be used to encrypt their communications. The handshake also verifies the server and establishes a secure connection before beginning the actual transfer of data.

What is an SSL certificate?

An SSL certificate authenticates the identity of a website. It contains the certificate holder's name, the certificate's serial number, and the expiration date given by an SSL provider. 

The SSL certificate also included the information necessary for encryption, a copy of the certificate holder's public key and the digital signature of the certificate-issuing authority.

In the same way that your personal passport may only be issued by the country’s government officials, an SSL certificate is most reliable when issued by a trusted Certificate Authority (CA).

Why are SSL Certificates important?

SSL Certificates assure increased privacy through various types of encryption and verify the integrity of the website by an independent trusted Certificate Authority (CA).

In order to accept credit card information on your website, you must comply with the Payment Card Industry (PCI) standards such as properly using an SSL Certificate.

SSL Certificates are not just for financial transactions, now all sites for any reason are expected to have SSL enabled.

Web browsers have started telling you the site you are visiting is not secure. Sure it's easy to bypass the warnings, but many web surfers will turn away from the websites that their browser tells them is not secure.

In 2016 the Electronic Frontier Foundation started a campaign calling on all web site owners to implement HTTPS by default.

With the trend to make HTTPS the standard sites using HTTPS is now part of Google's search ranking algorithm, sites not secure are rated lower than those that are secure.

How to choose a vendor for SSL Certificates

There is no one size fits all answer to the question of who should you choose for SSL Certificates. Just as choosing a web hosting company involves evaluating many costs versus benefit factors, choosing a vendor for SSL Certificates involves a similar decision-making process.

Check out this guide that breaks down the various job roles in the cybersecurity field

If you have a good relationship with your web hosting company check with them to see what they have to offer as far as digital certificates. Also, be aware that for companies in a regulated industry there are specific requirements within that specify the type of SSL certificate you need.

If you just have a small personal site many hosting providers support "Let's Encrypt," a free, automated, and open certificate authority (CA)(interested in cybersecurity jobs? Consider checking out this guide).

What does an SSL Certificate Cost?

Like most questions in the world of technology, it is very difficult to give a one size fits all answer to the "what will it cost" question in dealing with an SSL Certificate. You can find a free SSL certificate and spend as much as a few thousand dollars or a year of service. Prices are typically based on one year of service paid annually with discounts for multiyear purchases.

On one end of the spectrum, you have Let's Encrypt, a non-profit certificate authority run by Internet Security Research Group that offers free automated SSL certificate with RSA 2048-bit DV certificate. At the upper end of the spectrum, you have companies like Symantec offering top of the line services at top of the line prices.

Domain Validated (DV) Certificates are the most basic SSL certificates with the lowest level of assurance. DV Certificates are suitable for individual bloggers and website owners who don’t rely on interaction from viewers. They are usually issued within minutes and you only need to verify that you own the domain.

Organization Validated (OV) certificates are more expensive than Domain Validated (DV) Certificates and you need to verify your domain and organization’s identity.

Extended Validated (EV) Certificates provide the highest level of trust and assurance, as you would expect these are the most expensive. Before issuing an EV SSL certificate the Certificate Authority (CA) does a thorough validation process to verify you are actually a legitimate business.

One feature that runs up the price of an SSL certificate is the warranty that covers anything that goes wrong on the Certificate Authority's end. At the lower end of the spectrum warranties typically start at $10,000 (USD) and can run as high as over $1 million (USD).

Why is SSL an important internet technology?

When the World Wide Web started delivering documents across the internet in the mid-1990s the standard delivery vehicle was HTTP, HyperText Transfer Protocol.

Like most internet technologies there is an ongoing evolution of improvement and refinement. For all practical purposes, the use of HTTP is being replaced with the improved Hypertext Transfer Protocol Secure (HTTPS) using Transport Layer Security (TLS).

http vs https

If you ignore the evolution from HTTP to HTTPS, you will lose traffic as web surfers will avoid your site because their browsers will scare them, telling them your site is not secure.

There may even be a time when sites not using HTTPS will be banned or blocked entirely.

The evolution of HTTPS and SSL assures the increased privacy and integrity of data transmitted by web sites. The use of digital certificates further ensures that you are communicating with the intended website. These are all issues of importance as the web becomes a vital communications and commerce tool of the 21st century.

Converting Your Site From HTTP to HTTPS

If you are looking to purchase an SSL Certificate to a secure website setup you need to be prepared to change your website from HTTP to HTTPS.

The conversion from HTTP to HTTPS should be a relatively simple process. The ease of this process depends on a few things.

Delivering web pages as HTTPS is considered the standard method, but don't assume your host is capable of delivering an HTTPS website. Most popular hosting companies have detailed instructions on converting your site From HTTP to HTTPS and in most cases, it is just a matter of doing your homework.

The same goes with your site-building and site management tools. If you are using a standard content management system such as WordPress there are easily found instructions on switching over to HTTPS. 

Most content management systems will do the work of automatically redirecting all server traffic to the new secure HTTPS protocol. The major issue with going from HTTP to HTTPS is that any hard-coded URLs will see the page as having moved. Testing your site immediately after the changes, and alerting your users before the changes, will ease the pain of unexpected broken links.

When researching what you need to do to convert from HTTP to HTTPS you will run across information on "301 redirects."

301 redirects

A 301 redirect is a permanent redirect from one URL to another.

In the case of going from HTTP to HTTPS, it is used to alert search engines that a change to your site has occurred and that they will need to index your site under the new protocol.

Treat converting your site From HTTP to HTTPS like a major software update. If you do your homework it should be a fairly easy process, but think about the timing of when to do it. Would you do a major software update when your web site was at its peak? Make your clients and staff aware of a scheduled update, and do it at a time when a few glitches will be easy to manage.

Quarantined? Become a certified cybersecurity professional without stepping a foot out of your home.

Date
About Author
Tom Peracchio