Why SSL Matters
SSL has become a big deal over the last few years.
Part of the reason is that buying SSL certificates adds a layer of security. It ensures nobody can spy on data transferred between a server and a visitor’s browser. It essentially offers data and identity protection to both the website owner and the visitor and builds visitor trust.
Today, not having an SSL certificate carries various drawbacks. For one, you get a penalty in Google rankings if your website isn’t secure. Even worse, a number of web browsers send warnings when visiting sites without SSL, practically driving away your visitors.
Getting SSL is a no-brainer. With the advent of Let’s Encrypt, you can easily install a free SSL certificate—you get a ton of benefits and essentially no drawbacks.
So, what’s the deal with paid certificates? All certificates provide the same level of encryption, so it might seem like there’s no reason to pay for one.
The problem with domain validated certificates like Let’s Encrypt is that they only ensure the data transfer is encrypted. They can’t tell users anything about the website or who owns it.
It’s easy to create a scam website and add an SSL certificate to it. In fact, most phishing websites are domain-validated.
So, even though you might have your website secured with cheap SSL, you’re not necessarily letting visitors know you’re legitimate. This is not much of a problem if you’re running a blog. It will raise a few eyebrows if users need to enter their personal info or credit card number, though.
How Organization and Extended Validation Fix This
Enter OV and EV certificates.
Organization validation and extended validation SSL certificates verify your online business exists in the real world. Potential customers can check the certificate and see your organization is registered, which inspires a lot of confidence.
Plus, most paid certificates come with a secure site seal. Users can inspect these to quickly find out more about your company and how it was validated. This puts them at ease when they need to transfer you money.
EV certificates are the most impactful here. They show visitors an instant visual cue that you run a trusted organization. This is in the form of the famed “green address bar.” In fact, most browsers have a different indicator for EV, but let’s not get into that.
The important part is users won’t have to dig around to find out if you’re legitimate. This automatically means better customer retention and higher profits.
In essence, all companies that issue digital certificates secure communication between your server and your visitors with the same level of encryption. They ensure nobody can spy on you and steal valuable information.
OV and EV certificates are pricier and tougher to obtain than DV ones. However, they not only ensure your website is secure but also prove your brand’s identity online. They are essential in appearing as a trusted business, which translates into better conversion rates.
All things considered, an SSL certificate is a must-have. Finding the best SSL certificate for you, however, depends on your website.
How SSL Works
The security aspect of SSL is all about helping a client’s browser establish secure data transmission to and from the server. Here’s how this happens.
The system relies on asymmetric cryptography. It uses a pair of keys to encrypt data.
The keys are two mathematically related numbers. Everything encrypted using the first key can only be decrypted with the second one, and vice versa.
Here’s where stuff gets interesting. One key, called the private key, is only available to the server. Its pair, the public key, is accessible by anyone.
It’s practically impossible to use the public key to find its private counterpart. Even though they are mathematically related, the numbers are huge. Even modern supercomputers would take a few billion years to crack a single private key.
So, anyone can encrypt whatever they want with the public key and send it to the server. Only the server can decrypt and read the data, though. Neat, huh?
Here’s how this works in practice.
Let’s say you want to visit Web Tribunal. The website uses a certificate from a digital certificate provider to enable secure data transmission.
Your browser would contact our server and request the public key. Once it has it, you could send us anything, ensuring nobody but us would see it.
However, you can’t really be sure a website is legitimate just because it provides you with a public key. Anyone could impersonate another site and provide you with a public key of their own. So even though the connection is secure, you can’t really know you’re sending your data to HostingTribunal.
This is why certificate authorities exist. If a website runs, let’s say, Sectigo SSL, the browser would reach out to Sectigo and check the public key against its records.
Which is all fine and dandy, but doesn’t solve the problem. If somebody poses as another organization, they could also pose as a trusted certificate authority.
This is why all relevant CAs’ public keys are hard-coded into web browsers like Google Chrome. This ensures nobody can intercept the communication between you and a certificate authority.
Once the website’s public key is validated, the browser knows it can securely send data.
That’s how browsers securely contact a website’s server using asymmetric encryption.
Another problem here is that asymmetric cryptography is slow and requires a lot of processing power. Which is why browsers only use asymmetric encryption technology to send a random symmetric key to the target server.
From there, the session is encrypted with that symmetric key. In other words, one key is used for both encryption and decryption. This provides the same level of security as asymmetric cryptography while being much faster.
After the session is over, the symmetric key is discarded.
TL; DR: The browser gets the public key from the server, validates it with the relevant SSL service provider, and uses it to agree on a symmetric key with the server. From there, the browser can quickly and safely exchange data until the session is over.
A lot more goes into SSL, but that’s the gist of it. It’s a practically foolproof way of securely transferring data on the Web.
Types of SSL
Many users are surprised to hear cheap SSL certificates provide the same level of security as $2,000 ones.
Indeed, practically every certificate has the same encryption protocol. Some providers offer stronger encryption technology, but a standard 2048-bit private key is essentially impossible to crack, so there’s little reason for this.
This can cause a bit of confusion. Although all certificates do a similar job of securing data transfers, they do have their differences.
Primarily, SSL certificates differ in the level of validation and in how many domains and subdomains they cover.
Let’s get right to it and see what the options are.
Domain Validated (DV) Certificates
This is the lowest level of validation. The only prerequisite to DV SSL is proving you own the associated domain name. This is usually as simple as receiving an email or uploading a specific file to your website.
The verification process is fully automated. Since computers do everything, this is usually the cheapest SSL certificate. Let’s Encrypt even offers DV SSL for free.
As anyone can get domain validation, though, you’re not really proving your identity. DV certificates are accessible to anyone, even scammers.
Even when you run a legitimate business, a DV certificate will not show the customers any info about it. This type of certificate is intended for websites at low risk of fraud like blogs.
Organization Validated (OV) Certificates
OV was the original SSL validation level. Its purpose is to provide validation that an organization or a business is legitimate.
Someone will manually verify the existence of your business and phone you to confirm the issuing of the certificate. The work that goes into it makes OV pricier than DV certificates.
The certificate authorities here look to prove your organization really exists. They’ll check if it is registered with the proper regulatory bodies and whether it really owns the domain name in question.
This type of validation inspires a lot more trust than DV. After all, customers can see there’s a real company behind the website.
These certificates usually come with a dynamic seal that lets users quickly check who you are and how your organization was validated. You can place this in key places, like the checkout page, to reassure users their private data is in safe hands.
Extended Validation (EV) Certificates
EV certificates are for those who want to go the extra mile in reassuring their customers. This is the highest level of validation.
The validation process requires an expert to go through a lot of legal documentation. This can take a week or more and pegs the price much higher than that of other certificates.
The whole process is much more extensive. The requirements differ from provider to provider, but they’ll typically need some of your legal documents. They also may check if your company is associated with some shady online activity or ask for a professional’s opinion about your business.
This type of certificate is meant to provide reasonable assurance that you are transparent online.
Web browsers usually signify EV websites with some visual cue, like a green address bar or company name next to the URL. This is the best SSL certificate for reassuring users with little knowledge of online security that the website is for real.
While more expensive, this validation level can bring a massive user retention boost. Larger businesses can greatly profit from the validation procedure.
Single Domain
Unless specified otherwise, a standard SSL certificate applies to one domain only. This usually means it can encrypt the www and non-www variation of your domain name, but that’s it.
A single domain certificate doesn’t extend to all subdomains. If you want to cover all subdomains, you need a wildcard certificate. Still, the benefits of wildcard over single domain certificates could be debated.
Single domain is the most affordable SSL type, but it only works on one level and don’t secure all underlying subdomains.
WildCard SSL
As opposed to single domain certificates, wildcard certificates secure a domain and all its subdomains.
The benefit is obvious—you can easily secure an entire website even though it has multiple subdomains. If you add more subdomains after the fact, you can reissue the certificate and cover them too.
Wildcards do tend to be a lot pricier than single domain certificates.
One thing to note is that there are no EV wildcard certificates. The whole point of extended validation is to confirm the existence of a company as well as its transparency. Digital certificate providers need to audit each subdomain you put under an EV certificate, or it would compromise the credibility of validation.
If you want an EV SSL for multiple subdomains, you’ll need to get a multi-domain certificate. Then you can apply it to several subdomains as if they were separate domains.
Subject Alternative Name (SAN)/Multi-domain Certificates
As the name suggests, you can use these on multiple domains. You can also apply them to several subdomains if needed.
Unlike wildcards, these certificates are limited. The cap can be anywhere from two domains to a few hundred.
The domain names don’t have to be related to the same website. You can use SAN to secure several domains without having to buy an SSL certificate for each one.
These certificates are obviously pretty useful and a real money-saver if you have multiple domain names. They are also the only way to secure multiple subdomains with an EV certificate.
They can be very pricey if have many domains on your hands, though.
WildCard Multi-domain Certificates
If you know what wildcard and SAN certificates are, this one is self-explanatory.
It’s a wildcard SSL certificate that can work across multiple domains. It’s fairly cost-effective if you have a bunch of complex sites.
One thing to note about both SAN and wildcard certificates is that the same key pair is used to secure all your domains and subdomains. So, if somebody gets to the private key of one subdomain, your whole operation can be compromised.
These things happen extremely rarely. Still, it’s something to be aware of.
That covers the common SSL certificate types. Choosing the right one for you is pretty easy once you know what’s out there.
If you’re still unsure what you need, don’t worry. Coming up next, I’ll also cover what to watch out for when looking for the best SSL certificates.