Secure Sockets Layer SSL is a cryptographic protocol that implies a relatively secure connection. It uses asymmetric cryptography to authenticate exchange keys, symmetric encryption to preserve confidentiality, and message authentication codes for message integrity.
SSL certificates are encrypted data files that electronically bind an encryption key to company information. If a certificate is installed on the web server, a “lock” icon is activated in the browser address field and an encrypted connection to the web server is established using the HTTPS protocol.
SSL is commonly used for secure credit card information transactions, data transfers, and password logins, and more recently secure internet connections to social networking sites have also become the norm. SSL certificates bind together the information about a domain, server, or host name and the organization identifier (such as company name) and location.
Organizations need to install an digital certificate on their web server to maintain secure sessions with visitor’s browsers. Once a secure connection is established, all web traffic between the web server and the web browser will be secure.
When the certificate is successfully installed on your server, the application protocol (also known as HTTP) will change to HTTPS, where the “S” stands for “secure”.
The certificate serves as a kind of identity or pass: the server shows that it is really him, and the browser regards it as reliable. It allows a secure SSL connection. The process of the protocol operation with a validation of an SSL Certificate are also called SSL Handshake and can be represented as the following sequence of actions:
In place of the user and the browser, there may be some service and its servers: the transfer of information between the site and another resource occurs almost according to the same principle.
The main reason SSL is used is to protect sensitive information sent over the Internet and other public networks in an encrypted form so that only the intended recipient can access it. This is important because the information you send online is sent through many devices to reach the recipient.
Any device between you and the server could see your credit card numbers, usernames and passwords, as well as other sensitive information, unless it is encrypted with TLS/SSL. Thus, a MITM or man-in-the-middle attack is organized, where the interception of unencrypted packets leads to data theft.
When an SSL certificate is used, the information becomes unreadable to everyone except the server to where you are sending the information.
SSL version 1.0 was not published and was an internal provision for the development of future versions. Version 2.0 was released in February 1995, but contained many security flaws that led to the development of SSL 3.0.
Subsequently with the support of many companies, based on the SSL 3.0 protocol a standard was developed and adopted, which received the name TLS 1.0. It is also often referred to as SSL 3.1.
Although TLS and SSL have significant differences in implementation, developers usually notice only a few of them, and the end users do not distinguish them at all. However, TLS 1.0 and SSL 3.0 are incompatible. The big difference is that TLS requires certain encryption algorithms that SSL protocol does not support.
There is a wide range of tasks for which SSL certificates are used. They can be conditionally divided into two groups: by the method of checking the site and by certified domains. Let’s examine them in more detail.
The domains to be certified parameter defines the list of domains and subdomains of the site to which the purchased certificate will apply. In other words, such certificates are needed if the site uses multiple names or runs on multiple servers.
Certificate for one domain (Single Certificate) – works for one domain name specified during the order. That is the domain for which the certificate was purchased will be protected, but the subdomains used will not be protected by such a certificate. Such certificates are the easiest to obtain, they are easy to create. They are used on many Internet resources and have a minimal cost.
Wildcard – can be used for the domain specified during registration and all its subdomains. Wildcard SSL certificates supports the operation of the Internet site on distributed servers. They are used if it is necessary to provide encryption not only on the main domain, but also on subdomains. As a rule, subdomains are connected to the certificate automatically. This option is not always profitable from a financial point of view – sometimes it is easier and cheaper to buy several SSL certificates.
Multi-Domain SSL Certificate (MDC) — This is a type of certificate that allows you to protect not just one domain, but a whole list at once. Multi-domain certificates allow you to save time and money on obtaining individual certificates for your domains, if you first know that you will definitely need to certify many domains. Also, with bulk domain identity, you don’t need to keep track of certificate validity periods for each individual domain.
SSL certificates also differ in their level of validation. Depending on this or that level, the degree of confidentiality of data that can be trusted to the site also varies.
Domain validation SSL certificates (Domain Validation – DV SSL) confirm that the user is on the exact website to whose domain address he made the transition, they certify the web server only that serves the site. Such a certificate does not contain information about the company that owns the site, and therefore cannot be considered secure enough to provide commercial services. DV is recommended for use on the sites where a strong safety guarantee is not required. They are issued automatically and do not require additional verification. The owner of the company is sent a letter with a unique link, through which you can confirm the issuance of the certificate.
Organization Validation (OV SSL) certificates verify not only the domain name, but also the organization that owns the website. The authenticity of the latter is verified by the registration data of the legal entity, which must be provided to the SSL provider when ordering a certificate. Such certificates cannot be obtained by an individual. The term for their issuance is from 3 working days, as a special check is required. The Certification Authority checks whether the organization that left the application really exists, whether the specified resource belongs to it. Different certification centers can check according to different additional criteria. OV-certificates are by far the most popular among customers.
An Extended Validation (EV SSL) certificate has the highest level of trust for other Internet hosts. It is the best solution for sites whose operation requires strict confidentiality of transmitted data (for example, when making financial online transactions). Getting EV SSL certificate is the most difficult. It certifiies that the site has the highest level of trust, as the certificate confirms the company really exists and has passed all stages of control. In particular, the legal activity of the organization, the availability of official documents, and the exclusive right to use a domain name are studied.
TLS was developed from the base of SSL. Despite support for earlier TLS versions, it does not interact directly with SSL. Also, SSL is now a no longer supported insecure protocol,, meanwhile a new version of TLS is being developed at the moment. In part, TLS can be called a descendant of SSL. TLS is a more secure protocol, as it uses modern more efficient and secure cipher suites, supports encryption key generation, and newer hashing algorithms.
The cause of the SSL connection error is a problem with the certificate authentication. It can be called both by the server from which information about the site is requested, and by the user’s computer. If the source of the problem is the site visitor’s computer, the solution should be sought in the browser from which the resource is being accessed. In addition, the other reasons may be:
If the browser displays an SSL certificate error from the server side, there can be two reasons. The first is the expiration of the activation period, the second is the purchase of a certificate from an illegitimate certificate provider. For example, the fault may be the choice of a self-signed certificate that only emulates the operation of a real protocol.
In practice, SSL certificates for email are used to serve two purposes.
Firstly, it is the protection of letters from interception during the cyber attacks. If an SSL certificate is not installed on the server, the data is transmitted in clear text. An attacker can gain access to the message and either use the data from it or distort the content. If the data is encrypted with the certificate key, the third party will not be able to decrypt the data because it does not possess the private key.
Secondly, it is the identification of the mail server. When connecting to the server, the mail client or browser checks it for authenticity. If an SSL certificate is installed for the mail domain, authentication is performed using a key exchange process.
In order to convince the user of the safety of the site he has opened, a clear visual impact isthe best way. Since the average user is unlikely to become clear with the peculiarities of computer networks, a simple iconappears to the left of the address bar. If the certificate is not trusted, there will most likely be an exclamation mark or a padlock to the left of the address bar.
In most cases, site owners try to keep their certificates in order. Therefore most of the sites have a valid Secure Sockets Layer SSL certificate confirming the rights of the organization to the site. It looks like a closed padlock icon. Sites with an extended domain certificate can give you the greatest confidence. In this case, some browsers will show the legal name of the company to the left of the address bar on a green background. Such visualization is necessary for the user to cast aside doubts that the data transmitted to this site may be lost, stolen or compromised.
Lastly, many SSL certificates come with a seal image, which can be used on the site to display the brand of SSL which is being used. They clearly say to the site visitors that their security and information is protected. It can make the customers be more likely to trust the site and make a purchase.
SSL certificates can be obtained from the Certificate Authorities CA. Depending on what data will be transmitted by user traffic, as well as how you will use the web site, you can choose a proper type and cost of the certificate.
Only SSL certificates with domain verification are issued free of charge. They do nothing beyond the traffic security of the connection between the user and the server. That means that attackers can copy your site, issue their own certificate and impersonate you. In addition, sometimes the browser does not consider free certificates as a guarantor of a secure connection and warns the user about it. This is especially true for the sites that sell goods and services, and collect payment cards data. A free certificate is enough for a simple site that collects only some personal data, such as logins and passwords. It is better for any online store to pay attention to paid certificates.
If you want to gain the users trust, a domain certificate with an organization verification is the minimum required. In this case your company will need to send a request, fill out documents about your organization, and possibly even send translated copies of documents certified by a notary to a certification service. The most trusted certificate is the one with extended verification. To issue a full check of the company is carried out, special documents are filled in andall company data is verified. The most serious organizations that deal with large amounts of money, for example, banks, need to use such certificates.
To protect multiple domains you own, you can use special certificates that can protect multiple domain names, servers, or subdomains at once. Such certificates are called multi-domain certificates and are preferable in management and cost. They are also called subject alternative name (SAN) SSL certificates anda are used to secure multiple domains under a single certificate.
Multi-domain SSL, like all other certificates, can be issued to an individual with mail verification, to a legal entity with company authentication and its domain owning rights and with extended verification of the organization and its website.
Certificates with the SAN option can basically protect from 1 to 3 domains, but have the ability to expand their number. A certificate with the SAN option can protect multiple domain names on the same IP address. The SAN option is used for certificates with different validation types: DV, OV, and even EV.
The Unified Communication Certificate, or single communication certificate, protects multiple individual (DV) or organization (OV) domains at once. From the name you can guess that the certificate was created for use within one infrastructure, since its effect can extend to several domains, subdomains and environments.
The PKI industry limits the maximum validity of SSL certificates for security purposes. Today SSL certificates can be valid for up to 27 months. This means that the SSL certificate needs to be evaluated or replaced. If the certificate has expired it will be fraught with negative consequences because the expired certificate alert will appear to every site visitor that literally means the site is not legally confirmed anymore as trusted. Your website traffic will drop dramatically.
Studies show that most users who encounter a notification about an expired site certificate immediately close it. Only a small part of all visitors accept an expired certificate. This can also lead to the fact that the remaining users may consider that the resource is unsafe, and therefore will not make purchases, even if they have made them on the same site before. In turn, the site’s ranking indicators will also drop dramatically. Your site will gradually fall down in the search results, as search robots take into account, among other things, the behaviour of visitors.
SSL is one of the most common technologies on the Internet today. It has become so widespread due to the need to ensure the security of the user and customer data, as well as the need to protect the sites and infrastructure of organizations. Helenix develops data protection solutions based on SSL certificates using the most reliable methods and technologies. You can learn about our various competencies in the Custom Development section.
Hypertext Transfer Protocol Secure HTTPS is an HTTP protocol that uses TLS/SSL encryption to secure the transmitted data. In other words, SSL is used in HTTPS in the same way as HTTP and is part of it.
If you are unable to get a dedicated IP, you can issue an SSL certificate for a domain name and even for a list of domain names without being tied to a specific IP address.
An SSL test is a test of a site with an SSL certificate. With it, you can determine how correctly the site interacts with users, whether there are any problems when checking the certificate, and other circumstances of the site’s operation are checked.
Transport Layer Security TLS is the modern descendant of SSL protocol. Currently, the latest version of SSL 3.0 is considered insecure, the TLS standard (also called SSL/TLS) must be used instead . However, the name “SSL Certificates” continues to be used to describe the certificates used in TLS.