SSL certificates: What they are and what they’re for
The internet is a wonderful place for many people: freely available information, global communication, unlimited exchange of knowledge. However, not all internet users have good intentions. Time and time again, criminals come up with new methods of retrieving your sensitive data, like e-mail or online banking passwords. To this end, they might set up fraudulent websites similar to those of reputable companies. Unsuspecting users often fall for this scam, unintentionally passing their private data on to criminals. However, harmless sites can also be abused by criminals. If transmissions between you and a website operator’s server is not sufficiently secure, third parties may try to access the data stream.
In order to protect user’s data from this kind of infiltration, standardized SSL certificates have been established. Therefore, a website assures the user (or more precisely: corresponding browser): “your data is safe with us!”
SSL certificates from IONOS
Protect your domain and gain visitors' trust with an SSL-encrypted website!
- What is an SSL certificate?
- How long is a SSL certificate valid?
- SSL certificate: How does the encryption work?
- What kind of SSL certificates are there?
- Costs: Free SSL vs. Paid SSL
- How can I recognize an SSL certificate?
SSL stands for secure sockets layer. This is an encryption protocol in the TCP/IP protocol stack. An SSL certificate serves as binding proof of identity – in addition, the certificate often contains information which allows the browser and server to establish encryption. Today, however, the certificate is no longer based on SSL, but is based on the successor TLS (Transport Layer Security) by default, whereby the old name has been largely retained and is still used today.
What is an SSL certificate?
In the meantime, certificates should no longer work with the outdated SSL, but rely on the newer and more secure TLS (transport layer security). However, colloquially SSL certificates are still the most common term when it comes to encryption protocols. The certificate itself is a data record: a file contains a great deal of information like the name of an issuer, the serial number, or even the so-called fingerprint for encryption. Certificates are available in various file formats. If the website operator wants to use a certain certificate, then they need to install it on the server.
Our helpful article helps you better understand in which ways SSL and TLS.
To obtain a certificate, website operators need to contact a certification authority. These organizations are entitled to issue an SSL certificate, but usually charge fees for their services. But why can’t everyone just start their own organization? The reason is because browser manufacturers like Microsoft, Mozilla, or Google also need to accept the certificates, otherwise the corresponding certificate does not really benefit you. The software company Symantec also had to deal with this issue: After Google withdrew trust from the software vendor, their certificates are no longer supported by Chrome. As a result, Google browser users no longer receive an encryption icon that indicates a secure data transfer when surfing a website that uses a Symantec certificate.
You can read more about the dispute between Google and Symantec and how website operators should handle the manufacturer’s certificates in our article on the topic.
How long is a SSL certificate valid?
However, a certificate accepted by browsers is by no means valid forever. Each SSL certificate has an expiry date. If this is reached, the website operator must renew the certificate, otherwise the corresponding pages will no longer be shown as secure. Although regular renewal of certificates can be both time-consuming and costly for website operators, it is still necessary. Only if authentication authorities regularly check the integrity, identity, and encryption mechanisms used, can user security be guaranteed.
The SSL certificate does not just state its validity, but also the validity period.
SSL certificate: How does the encryption work?
There are several ways to encrypt data transfers. Usually, you need a key to encrypt something and the exact same key to make the message readable again. However, this method does not make sense on the internet, because users often make contact with people or organizations that they’ve never communicated with outside of the internet before. Consequently, there is no way to pass a key without first sending it unencrypted through a publicly accessible medium. Therefore, SSL certificates use a different procedure.
In a public-key infrastructure, you don’t just create one key, instead you create two: a completely public and private one. A message is encrypted with the public key and can only be decrypted with the private key. It is then the public key and can only be decrypted with the private key. This key is then received by the browser through the certificate and used for encryption. There are different methods for coding the information. Here, too, the web server provides the browser with the necessary information through the certificate.
For example, AES (advanced encryption standard) with the SHA256 cryptographic hash function is a commonly used encryption method, but the standards change regularly, since both criminals and crypto experts are constantly working to identify the encryption mechanism vulnerabilities.
What kind of SSL certificates are there?
There are several types of SSL certificates. Although there are different exhibitors with different verification mechanisms, these factors are not decisive criteria. Rather, SSL certificates are differentiated according to, among other things, how thoroughly the applicant’s verification is carried out and how large the certificate’s range is.
There are three types of verification. These differ not just in terms of processing time, but also in terms of associated costs. While domain validation SSL certificates are now available for free, individuals and small businesses are rarely able to meet the cost of extended validation.
Domain validation (DV)
Domain validation is the lowest level of SSL certificates: staff verification behind the website address is correspondingly superficial. The authentication authority often only sends an e-mail to the e-mail address specified in the WHOIS entry. For example, the applicant is asked to change a DNS entry or to upload a specific file to his server to signal control of the domain.
The verification process can be fully automated and is therefore not considered safe by many. Some browsers therefore mark a DV SSL certificate separately to point out the lower security standards compared to other certificates. With this form of certificate you will not receive any further information about the website operator.
Organization validation (OV)
OV SSL certificates are one level higher in terms of visitor safety. As part of the validation, the certification body requests documents from the website operator – usually after the automated domain validation process has been completed. Which documents they require depends on the exhibition organization, e.g. an extract from the commercial register is sometimes requested. In addition, some authentication authorities contact the website operator by telephone. OV SSL certificates provide internet users with more security, since they closely monitor who is actually running the website in advance. They also offer the advantage of keeping this information visible for every user in the actual certificate himself.
Extended validation (EV)
SSL certificates offered by the extended validation label provide the highest level of security. With this type of certificate, the domain and the organization associated with it, and the applicant themselves, are checked. It also checks whether the applicant actually works for the specified organization or company and whether they are entitled to request a certificate. Additionally, the certification body also needs to be authorized to carry out extended validations. To be authorized, the site needs to pass a review by the CA/Browser Forum. This is a voluntary association of certification bodies and browser manufacturers.
Costs: Free SSL vs. Paid SSL
A significant factor in choosing an SSL certificate is how expensive it will end up being. Generally speaking, the more advanced the certification is, the more you’ll have to pay for the certificate in the end. Since 2015, Let's Encrypt has even been a SSL-Certificate provider that issues certificates for free.
At the beginning of March 2020 Let's Encrypt had to withdraw more than three million of the active SSL/TLS certificates. The reason for the shutdown was an error in the open source software Boulder used by Let's Encrypt, which was caused by the verification of the CAA records (Certification Authority Authorization). The only solution for those affected was to generate a new certificate to restore encryption – and all this in 24 hours.
Differences between free and paid certificates
If it's just a matter of securing a website so that it can be accessed via HTTPS rather than via the usual HTTP, a free certificate fulfils the requirements just as well as a paid certificate. Both solutions use the transfer protocol SSL or TLS and thus make secure data transfer binding for clients and servers.
However, there are several crucial differences between free and paid certificates:
- Validation level: When issuing a certificate, the verification of a website operator is not very extensive - domain validation is the typical level of control here. Certificates with a higher security level are always subject to a fee.
- Validity: Most paid certificates are valid for one or two years. Free certificates expire after 90 days at the latest. So if you rely on free SSL/TLS, you will have to exchange the certificate much more often.
Domain affiliation: A free SSL certificate can always be generated exclusively for a single domain to which it is then bound. Paid SSL/TLS solutions also allow cross-domain certificates that can be used for several websites.
Advantages of paid-for SSL Certificates
Paid SSL offers various advantages over the free alternatives. Paid certificates are valid for longer and - depending on the provider and package - can also be used for several domains. This not only increases flexibility, but also requires much less effort from the website operator. In the event of a problem, the respective providers or certification authorities also provide individual support as standard - a luxury that users of a free SSL Certificate have to do without.
A further advantage of chargeable SSL certificates is that often not only the indication of active HTTPS but also the own company name can be presented in the browser line - as long as you choose the appropriate provider and package.
If you are looking for an affordable SSL certificate, you can check out what IONOS itself has to offer. In terms of cost and scope, both private individuals and companies can benefit from all-round protection packages, offering high-quality encryption.
Which scheme is the right one?
A paid SSL certificate, which is EV-tested, is without doubt the best form of encryption for your web project. However, this type of certification can only be obtained by larger companies. Cheaper certificates are usually enough for projects in the SME sector. As long as no highly sensitive data is handled - online banking is an example of a company handling sensitive data. For smaller projects where the transfer of personal data plays little to no role at all, free SSL certificates are a good alternative to the paid-for offers. In this case you’ll have a bit more admin on your hands but fewer outgoing costs.
When you apply for an SSL certificate, you should pay attention to how far it goes – including whether, for example, subdomains fall under the certificate.
A normal certificate is only valid for a single domain. This means that “www.example.com” and all subpages of this website are covered by the same SSL certificates, but their subdomains are not. If you need your subdomains to be covered too, then you need to apply for another certificate or purchase a wildcard certificate.
Some certificates have this title since they work with a wildcard. Instead of entering “www.example.com,” for example, these SSL certificates also apply to all subdomains – i.e. also to “mail.example.com” or “blog.example.com.” They are issued in the form “*.example.com.” The asterisk symbolizes the wildcard.
Multi-domain certificates (also called SAN certificates) extend far beyond the reach of single name or wildcard certificates. Many certification bodies offer their customers certificates covering up to 100 domains. For example, applicants with only one certificate can secure both “www.example.com” and “www.example.org.” This is possible if you use a subject alternative name extension – an additional field in the certificate that contains all other domains.
Free business name generator
Discover your new business name, check its availability, and claim it for yourself!
How can I recognize an SSL certificate?
If you are using a current browser, it’s easy to tell whether you’re browsing a website secured with SSL/TLS: take a look at the address bar! There are two things that directly point to encryption: on the one side is a lock symbol and on the other hand the address starts with “https://” instead of the usual “http://.” The additional “S” stands for “Secure” and signals to users that an additional SSL/TLS level has been added to the Hypertext Transfer Protocol. An additional encryption layer has been added to the TCP/IP protocol stack – between TCP and HTTP.
The (usually green) lock is first and foremost an obvious signal from your browser that the website you are visiting has a valid certificate. In addition, you can also click on it to get more information about the website’s security. Click on it to open a pop-up window with information about the certificate’s issuer, the encryption used and the validity period.
If the website you are on does not have a validated SSL certificate, there will be no green lock or “https://” in the address bar. In addition, some browsers warn users on these websites when they attempt to transmit passwords or other sensitive data to the server. The program then alters them so that their data won’t be intercepted by strangers.
Just because a website does not have an SSL certificate, it does not necessarily mean that a website is fraudulent. However, the risk that criminal third parties steal important personal data from you is higher on these sites than ones with SSL certificates. HTTPS is essentially indispensable, especially when it comes to transmitting sensitive data.