Everything You Need to Know about SSL Certificates
Living in the world of internet, it is very important for us to have a basic knowledge of internet standards. It is interesting to note here that how a little knowledge can go a long way when it comes to internet security for keeping our data safe from malicious hackers. There are many different aspects, but when it comes right down to data transmission over internet, SSL Certificates are the most important amongst them.
What is SSL Certificate?
SSL stands for “Secure Sockets Layer” and it works by encrypting the communication between users and a web server. They are described as cryptographic protocols that provide communications security over a computer network. To make it work on your website you need an SSL certificate also referred to as Digital Certificate.
You’ll see SSL in action if you use the web’s most popular websites. For example, go to Google and you will see two things in your browser that show these websites have made a secure connection between their web servers and your browser.
- Padlock – Click on this icon to know more details of the certificate and it’s issuer.
- URL starting with https://
Digital certificates are provided by an entity called a certificate authority or certification authority (ca). A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. Many public-key infrastructure (PKI) schemes feature CAs.
Types of SSL Certificates
There are many different types of SSL certificates based on the number of domain names or sub-domains owned, level of validation, such as:
Single certificate secures one fully qualified domain name or sub-domain.
Wildcard certificate secures one domain name and unlimited numbers of it’s sub-domains.
– Domain Validation:
Domain level validation certificate is the least expensive, and covers basic encryption and verification of the ownership of the domain name registration. This type of certificate usually takes a few minutes to several hours to receive.
– Organization Validation:
In addition to basic encryption and verification of ownership of the domain name registration, certain details of the owner (e.g., name and address) are authenticated. This type of certificate also takes a few hours to several days to receive.
– Extended Validation (EV):
Extended Level provides the highest degree of security because of the thorough examination that is conducted before this certificate is issued (and as strictly specified in guidelines set by the SSL certification industry’s governing consortium). In addition to ownership of the domain name registration and entity authentication, the legal, physical and operational existence of the entity is verified. This type of certificate usually takes a few days to several weeks to receive.
Why do you need SSL Certificate
SSL certificates secure the data sent between your server and your user’s computer in a way that cannot be tampered with. This data could be information, login details, or payment information. If properly configured, there i no way a man in the middle can capture your sensitive information. SSL is today used by millions of businesses and individuals to decrease the risk of sensitive information.
SSL From an SEO Perspective
In August 2014 at Google’s I/O Conference Google initiated the use of HTTPS Everywhere. This initiative was designed to stimulate a wider adoption of HTTPS and highlight the significance of website security.
Last year Google introduced HTTPS as a lightweight search signal in an attempt to raise awareness of online security issues and encouraged webmasters to get SSL certificates. The idea was to make the web a safer place by ensuring encrypted connections and maximum privacy for online users. With this goal still in focus, Google decided to further improve online safety by allowing search engines to crawl HTTPS pages by default. As announced on Google Online Security blog earlier in December:
Today we’d like to announce that we’re adjusting our indexing system to look for more HTTPS pages. Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page.
Best Practices when using HTTPS
Having an SSL certificate on a business website can largely shape the way consumers perceive the company. However, these digital certificates come in different forms and there are many things that should be kept in mind when choosing the right one. Google suggests the following practices:
1. Use SSL issued by a trusted Certificate Authority (CA) ONLY:
As mentioned above, digital certificates are issued by Certificate Authority (CA) which takes steps to verify that your web address actually belongs to your organization, thus protecting your customers from man-in-the-middle attacks. When setting up your certificate, ensure a high level of security by choosing a 2048-bit key. If you already have a certificate with a weaker key (1024-bit), upgrade it to 2048 bits. When choosing your site certificate, keep in mind to get the certificate from a reliable CA that offers technical support.
2. 301 Redirects
Direct your users and customers to HTTPS pages using server-side 301 redirects. To do this task you’ll need to edit your .htaccess file.
3. HTTP Strict Transport Security (HSTS)
Use a web server that supports HSTS technology and make sure to enable it. It tells the browser to request pages using HTTPS automatically, even if the user enters http in the browser’s location bar. It also forces Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users.
Where to get a Trusted SSL Certificate
According to a report of NetCraft in May 2015, the industry standard for monitoring active digital certificates, states that “Although the global ecosystem is competitive, it is dominated by a handful of major CAs — three certificate authorities (Symantec, Comodo, GoDaddy) account for three-quarters of all issued certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since [our] survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share.”
Here is a list of top 6 CA’s according to a W3Tech survey from April 2016:
If you are looking for a free and secure SSL certificate you might want to check out Let’s Encrypt SSL Certificates.
Thanks for the detailed guide. I need some recommendation from you: I run a fashion blog at blogspot.com and I was wondering if I could have blog with a .com domain. I have already purchased the domain name from namecheap but I don’t know which web host should I go for. Can you please recommend me one? Thanks again!
If it’s a simple blog I would suggest you to go for a shared hosting plan. As for web hosting company, I personally recommend DreamHost. If you have a limited budget and looking for a low cost solution then I would suggest BlueHost.