An SSL or Secure Sockets Layer is a security technology that establishes an encrypted link between a server and a client. In the case of websites, this secure link would be established between the host server (website host) and the browser (e.g. Firefox). Generally, when data is sent between the server and the client, it is sent in plain text. An SSL encrypts this information, making it “unreadable” to an attacker eavesdropping.
This is extremely important when transferring data that is sensitive. Things like credit card numbers, social security numbers, and login credentials are all sent as plain text like all other information. Without encryption, this data has a higher chance of being intercepted and used by a potential attacker.
In today's environment, most information is sent digitally to some extent. Things like job applications, purchases, and even business dealings all contain sensitive information and are sent from server to server until it reaches its final destination. If you run an online store, or collect information from your visitors, it is highly recommended that you ensure you have an SSL certificate for your website.
When a visitor goes to your website, the browser will begin an attempt to access the website. A website with an SSL certificate, will initiate a process called an “SSL Handshake.” This process is completely invisible to the user, but will set up the connection through three keys. A public key, a private key, and a session key. When data is transmitted between the browser and the server, anything encrypted with the public key can only be decrypted with the private key, and vice versa. Due to the large amount of processing power this process takes, a session key is made for this one session that will encrypt and decrypt all transmission data, but only after the server is identified as a secure connection. More detail about this process is outlined below:
- The browser connects to a web server (the website). Browser will request the server to identify itself.
- The server will send a copy of its SSL Certificate along with the server's public key.
- The browser will verify the public key checking that it is unexpired, unrevoked, and is valid for the website it is connecting to. If everything checks out, the browser will send back a symmetric session key to set up a secure connection.
- The server will read the session key using its private key and send the browser back the session and an acknowledgement to start a secure session.
- All transmitted data is now sent using the secure session key.
Though all SSL certificates have the same level of encryption, they do differ in validation levels. Certificate Authorities (CA) are in charge of verifying the identity of the person or company behind the website. Generally speaking, they offer three different levels of validation Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV).
Domain Validated Certificates have the least validation requirements when issuing an SSL to a website. Usually, a website only needs to confirm the domain ownership to the CA and a certificate is issued. Benefits to a DV SSL include the speed of issuing and the cost to the business. DV SSL certificates only take seconds to validate and can be issued almost immediately. This certificate is suitable for blogs, personal websites, and websites for small businesses. They don’t offer the most protection for their users, only verifying ownership of a domain, but will secure the transmission of information between the two parties. Meaning, there won’t be any third party intercepting of information submitted to your website.
Organization Validated Certificates offer a middle ground between the Extended Validation and the Domain Validated Certificates. A OV SSL certificate is only issued after a CA has checked your domain ownership along with some basic details about your organization. These details may include your organization's name and location. The issuance of this certificate does take longer, as the CA has to verify your organization’s identity, but does allow the site's users to verify that the information is only being shared with the intended organization. This type of certificate is best for companies that are collecting sensitive information from their users directly on their site. For small business shops that use an outside payment processor (e.g. Square), the payment processor most likely uses their own SSL certificate, so your website isn’t directly collecting this information.
An Extended Validated Certificate (EV) requires the most validation before issuance. The EV SSL requires the CA to check your physical and legal existence on top of the requirements set by a DV SSL and OV SSL. Though this offers the most rigorous level of validation, it also comes at a hefty cost. Due to a high cost, this is best recommended for websites that regularly collect sensitive information from its visitors on a regular basis. Again, if you use an outside vendor to collect this information, they are most likely using their own SSL certificate.
In conclusion, an SSL or Secure Sockets Layer is a vital technology that establishes an encrypted link between a website host and a browser, protecting sensitive information from being intercepted by potential attackers. It is important for all businesses and individuals who collect information from their website visitors to ensure they have an SSL certificate for their website. SSL certificates differ in validation levels, with Domain Validated (DV) being the quickest and least costly option, Organization Validated (OV) offering a middle ground, and Extended Validation (EV) being the most thorough and secure option. Regardless of the validation level, all SSL certificates provide the same level of encryption to secure the transmission of information between the website host and browser. It is crucial for website owners to understand the importance of SSL certificates and to make sure they are properly protected.