Computer users worldwide are wary of hacks and privacy violations, so it pays to continue to be vigilant with your website’s security.
If you’re working in SEO, you have no doubt come across SSL certificates and digital encryption.
But what does SSL mean and why do SSL certificates have to do with your digital marketing strategy?
In this article, you’ll learn about the different types of SSL certificates available and how to move forward with installing one on your server.
Implementing high-quality SSL can mean great things for your website; it helps confirm to users that they’re in a safe space and you’re taking steps to protect their data.
What is SSL?
SSL stands for Secure Socket Layer. This is what protects the information in your browser while you’re sending it across the Web to the server where it will be received.
SSL helps provide your visitors a more secure online experience. It’s important to choose the type of certificate that is right for your site and make sure it is installed properly.
What Does an SSL Certificate Do?
When you use the internet, your browser uses SSL encryption to communicate securely with a website. SSL ensures that all data passing between you and a site is protected against man-in-the-middle attacks.
An SSL certificate can also protect against other types of attacks, but not all of them. Some attacks are specific to SSL certificates and can result in a web server being entirely compromised.
The initial communication process the protocol initiates is called the TLS handshake. This is a server configuration that supports the SSL certificate.
With a handshake, two parties over the Internet generate unique security keys for that session in a fraction of a second. These keys work to encrypt the communications being sent, and decrypt the communications being received.
For each new secure session, different session keys are generated.
Say, for example, you try to access a secure website that has been locked down with the required SSL certificate.
Any data you send, whether you fill out a form or create an account, is secure after you open this connection. It is free from interference by any unscrupulous parties who might be looking to intercept that private information.
This TLS handshake process is critical to the processing of secure data sent over a website.
What is TLS?
Any discussion about SSL would not be complete without some talk about TLS.
SSL works with TLS, which stands for Transport Layer Security. This is a web security protocol (similar to HTTP/2) that facilitates data privacy and security. This in turn results in secure communications between machines on the Internet.
TLS includes the following three components: encryption, authentication, and integrity.
- Encryption: TLS helps to hide the transfer of private data from any third-party prying eyes. This makes viewing any website more secure.
- Authentication: The authentication component of TLS ensures that the two parties who transfer this information are who they say they really are. In other words, data being sent over the protocol will be both encrypted and authenticated.
- Integrity: This component of TLS helps ensure that the data has not been faked or otherwise tampered with.
Encryption, authentication, and integrity all work together to ensure that your data is kept secret from prying eyes and that they don’t have access to data you intend to send to the recipient’s website.
What is TLS 1.3 and Why is it a Big Deal?
The most recent version of TLS is TLS 1.3, which replaces the earlier version 1.2.
This version of TLS includes faster processing of the handshake component when compared to TLS 1.2. Because it’s faster than its predecessor, every possible additional increase in potential page speed can help your website’s performance.
Another aspect of TLS 1.3 that makes it desirable for SEO professionals is the fact that there are fewer steps in the client/server authentication process. This may further improve potential speed on those servers where this is correctly implemented and optimized.
The other aspects that make TLS 1.3 attractive include cipher suites that are more secure, as well as zero round-trip time, which further improves and streamlines the TLS handshake process.
This means that the new version of TLS translates to improved performance and better security, all points to consider as you select the appropriate security protocols for your website.
Regardless of what type of SSL certificate you use, your server should be properly configured and have the required components in place for the successful installation and operation of the SSL certificate with TLS.
What are the Different Types of SSL Certificates?
- Domain validated SSL.
- Organization validated SSL.
- Extended validation SSL.
- Wildcard SSL.
There are two main types of SSL Certificates: Domain Validated (DV) and Organization Validated (OV). They offer different levels of protection, validation, and pricing.
The cheapest SSL Certificate is the DV Standard SSL which is generally considered a starter certificate. It can oftentimes be free (especially if you’re using something like Let’s Encrypt) and will get your site up and running in no time.
For a bit more, you can get an OV SSL Certificate which is usually used by larger companies that have a consolidated domain name or multiple domain names. This option does cost a bit more but can be well worth it. From this point on, it is all about your budget and what you feel is best for your security needs.
Standard SSL certificates have a limited set of features, while extended level security is available for additional fees.
Domain Validated Certificates
Domain validated certificates can prove that the requestor owns or controls the domain name it uses to communicate with the site. This type of SSL is the lowest level of SSL certificate that you can get.
Unless you’re dealing with sensitive user information, user logins, or things of that nature, you may not need to get anything other than a DV certificate.
These types of certificates use an X.509 public key, which is used by the transport layer security (or TLS). For this type of certificate, the applicant for the certificate is verified. In order to become verified, said applicant needs to prove that they have control over a certain domain.
This is one of the quickest and easiest ways to enable an SSL certificate on your site because it doesn’t require all that much effort to get verified.
To get a domain validated certificate, you must prove control over your domain name through a response mechanism, typically by responding to something like an email contact in your domain’s WHOIS, verifying through a DNS TXT record, or by responding through a known potential contact on the domain (such as admin or mail).
These types of certificates, however, aren’t sufficient when handling sensitive data on external websites because you don’t need to provide proof of ownership or control over a domain name’s corresponding private key in order to acquire one.
This means someone else could get a certificate for your site and spy on the information users send to it, or impersonate your identity.
DV certificates also expire after about 1 year, so they should only be used temporarily as website owners transfer to more secure OV certificates in order to maintain a greater level of trust with their visitors.
A DV certificate is fine if you don’t need tighter security. However, fraudsters can manipulate DV certificates by fooling users into thinking that the website is legitimate.
As a result, the user could still enter their personal private information. If a high level of security is important to you and is necessary for your type of site, you will want to consider an organization-validated certificate (OV).
You may want to think about switching from a DV to an OV certificate if you have to do any of the following:
- Have high-security protection for any sensitive data from users.
- You want to include your official company name on the SSL certificate (this is something that is more trustworthy among users).
- You want to communicate the fact that your site is a legitimate company, and does not engage in fraudulent hacking activities.
- You’re planning on growing your business and need the additional power of higher security in order to do it.
When it comes to security, you can never be too careful. For those who want to get into the higher end of SSL certificates, using an organization-validated certificate could be for you.
Organization Validated Certificates
Organization validated certificates require an applicant to be verified before they can acquire one. The certificate authority will contact you and verify that you own or control the domain name associated with the certificate by asking questions about how it’s registered and configured.
Organizations are typically better protected because you have to prove ownership or control over a DNS record, such as the website’s A record or SRV record (if using single-name or SAN SSL), and have it reflect the certificate’s details.
You can also add other records like MX or TXT to offer transparency and provide greater assurances that the domain’s owner is legitimate.
After going through this verification process, the certificate authority will issue an OV certificate, which is typically valid for one year and can be renewed at any time after that by following the same procedure.
It used to be that DV, OV, and EV SSL certificates were valid for two years, but this was changed to 1-year certificates on September 1, 2020.
The main protection that OV certificates offer that DV certificates don’t is the inability of fraudsters to obtain one. They cannot easily obtain OV certificates because their organization is not easily validated.
Extended Validation (EV) SSL Certificate
An EV SSL Certificate will cost quite a bit more than the above, depending on what kind of features you need. Discuss your needs with a trusted security auditor who can guide you through the process and make recommendations based on their knowledge and years of experience.
As a general guideline, if your site is using things like an account area or logins, an order process, or other highly sensitive areas, then you may want to go with an EV SSL certificate.
Most SSL certificates can be issued within 15 minutes to an hour after receiving the request, which means they are quick and easy to install. The more complex SSL certificates, however, may need the services of an SSL installation professional.
Considering that most popular browsers such as Firefox, Google Chrome, and Microsoft Edge will alert users whenever they encounter a site with an expired certificate or one that was issued using weak encryption strength (e.g., a 1024-bit key), it makes sense to get yourself secured by purchasing an SSL certificate from a trusted provider.
Reputable providers include companies like Comodo SSL, DigiCert, GeoTrust, GlobalSign, RapidSSL, and Thawte. The benefits of using SSL certificates from such trusted providers include the following:
- Peace of mind knowing that your money is protected by leaders in SSL certificate security and backed up by strong support teams.
- Fast, easy to install certificates that come with added features such as DV or DV Extended Validation (EV), which may be required for your business to grow.
- Affordable prices on most available SSL certificate products (some under $200 at the time of writing), making it more affordable for small businesses without breaking the bank.
- Easy-to-use software like Let’s Encrypt or DigiCert Installer, which makes installing your purchased certificate a lot easier than it would be otherwise.
Not all SSL certificates are created equally, however, and different types have varying levels of encryption, protection, and features.
Wildcard SSL Certificates
You may also come across wildcard SSL certificates. These are issued with unlimited subdomains and typically cover a single domain name (@) or multiple top-level domains (www*.example.info).
If you want to protect multiple websites using different TLDs (.com, .info), you have to request one for each level of your site’s hierarchy in order to do so.
For example, let’s say you wanted control over a site with the following domains:
Wildcard SSL certificates extend DV-issued SSLs by offering domain validation for multiple subdomains. This is great when you want to protect email and other sensitive accounts at your organization, but it typically costs more because of the added verification steps involved.
Certificate authorities will contact you about all of the domain names specified in your request and verify that you control each one before issuing a certificate. Before doing so, they’ll check their WHOIS database and make sure no other parties have registered those records.
They will also request proof that you own or control them from websites like Geotrust (which requires logging in to your administrative account).
You then receive a certificate for every unique second-level domain specified in your application, which usually lasts for about a year.
Why is an SSL Certificate So Important?
According to Google’s Transparency Report, the following shows how the adoption of the HTTPS secure protocol has progressed worldwide since May 1, 2015, as per their “percentage of pages loaded over HTTPS in Chrome by platform” report:
- On March 21, 2015, the pages loaded over just Chrome overall was 45%. On July 31, 2021, that number was 97%.
- On March 21, 2015, the pages loaded over Chrome on Windows was 39%. On July 31, 2021, that number was 90%.
- On March 21, 2015, the pages loaded over Chrome on Mac was 43%. On July 31, 2021, that number was 95%.
- On March 21, 2015, the pages loaded over Chrome on Android was 29%. On July 31, 2021, that number was 94%.
Clearly, SSL certificate use and HTTPS usage have grown exponentially over the past decade.
Even though it’s in use primarily as a tie-breaker signal, if your site is still utilizing HTTP protocol, you may want to consider the switch. However, it’s not entirely necessary.
Common SSL Attacks
Some of these types of attacks include:
- Advanced Persistent Malware.
- Man in the Middle Attacks.
- SSL Renegotiation Attacks.
- SSL/TLS Downgrade Attacks like:
- Poodle Attacks.
- Freak Attacks.
- Logjam Attacks.
- Drown Attacks.
- TLS Truncation Attacks.
- and plenty of others.
While I am not going to go into what these attacks are and how to perform them, we will look at how SSL helps protect the browser against a Man in the Middle Attack.
To understand more about how an SSL certificate protects you against certain types of attacks, let’s examine how this type of attack works and how an SSL certificate would (hypothetically) work in this situation.
What is a Man in the Middle Attack?
This type of attack occurs when attackers end up interrupting any data transfer or existing conversation. They disguise themselves as both legitimate parties – the website sending the data, and the user receiving the data.
As a result of this disguise, they are able to find out exactly what information a website is receiving from a user.
This information could also include malicious links and other types of malicious payloads (such as malware, adware, and spyware). If your site is not secured by a heavy-duty SSL certificate, it could be possible for outside attackers to perform a man-in-the-middle attack and hijack the ownership of your website.
Where Do SSL Certificates Come In?
These certificates act as a shield between your website and the attacker. By providing such protection, your website can essentially be free of these types of attacks, and it will be more trusted to your users as a result.
SSL certificates also provide authentication capabilities, since they are digitally signed by the trusted third-party who issues them. Since an SSL certificate is installed on the webserver hosting the site, they can be used to secure URLs on that particular server.
By using this “shield” on your site, you protect yourself along with your users from prying eyes, making sure that their private data is secure so long as they continue to use your website.
And now you know why one of the SSL certificate symbols is that of a “shield” in addition to a padlock!
How Do You Plan on Implementing Security on Your Website?
The big question is: What level of security do your users need?
If you have a site where passwords or orders will be entered, then a domain-validated SSL should be sufficient for now.
But if your business gathers any type of personally identifiable information such as credit cards or social security numbers, EV certificates will help encrypt all pages on your site automatically. This includes everything from payment form types to downloads and resource sharing.
An EV certificate ensures that all data passed between visitors’ devices and yours can’t be compromised – and at a price that’s affordable for most businesses today.
When it comes to protecting users’ data online, these types of certificates are the most trusted by modern browsers and computing platforms.
Your website’s security is absolutely an important consideration, especially if you maintain ecommerce and other types of information-sensitive websites.
How do you plan on using an SSL certificate in your next website project?