To many people, SSL is just another acronym to deal with when trying to learn about Web technology. However, SSL is one of the most important pieces of the puzzle for privacy and security on the Web.
SSL is an acronym for Secure Socket Layer. Follow the link if you want the technical run-down. We’ll go over the basics here.
You’ve Used SSL, But May Not Know It
SSL is used by millions of people everyday to keep their online transactions and email secure. Many people probably don’t even realize they are using it, or know much about SSL itself, but they at least know their transactions are secure because a website or service will tell them so.
Anytime you use a website that allows you to enter your credit card number or sensitive information such as social security numbers or passwords, the connection to that website is most likely encrypted using SSL. Your web browser will tell you if your connection is secure. For example, in Firefox you will see this:
Notice that Google has a gray lock icon, while Namecheap has a Green lock icon with their corporate name attached. When you see this, your web browser is telling you “Hey, your connection to this website is secure and encrypted!”
What SSL Means for Online Business
For websites that incorporate e-commerce or secure information transactions, SSL is a must. If you collect information through forms or have login systems on your website that are not operated over SSL, you should consider talking to your IT or web team to make changes immediately.
How SSL Works
When using SSL, all of the information being sent between your computer and the website that you are interacting with is sent as encrypted information. If anybody does tap into that stream of info, all they will see is garbled, unreadable information instead of plain text with your credit card number or social security number.
Purchasing, Creating and Installing SSL Certificates
If you are looking to add SSL to your website, you will need to purchase and install an SSL certificate. There are many popular SSL providers out there. One respected provider, for example, is Digicert [link to: https://www.digicert.com/].
After purchasing the SSL certificate, the SSL provider will take you through a verification process so that they can prove that you are a legitimate entity or organization. This process is what creates the trust that the SSL certificates provide to users. For higher levels of trust and more expensive SSL certificates, the SSL provider will spend more time and use more rigorous techniques to verify the legitimacy of your business.
When creating an SSL certificate, you will need to generate a Certificate Signing Request from your web server, also known as a CSR. When generating a CSR, a private key is also automatically generated at the same time (if you don’t already have one). This CSR is then sent to the SSL provider, and contains your public key, which is used to generate your SSL certificate. The private key is kept private, by you, and only resides on your server.
Most web hosting control panels have functions to allow you to generate the CSR and the private key fairly easily, and also allow you to install the SSL certificates after you receive them from the SSL provider.
The installation process of an SSL certificate, simplified, will usually be like this:
- Buy an SSL certificate from an SSL provider.
- Generate a CSR from your web server, which creates public and private keys.
- Don’t do anything with the private key, leave it on the web server.
- Send the CSR to your SSL provider.
- Follow any verification processes such as replying to verification emails or phone calls, or providing documentation that verifies the ownerships and existence of your organization.
- Receive the SSL certificate along with the CA root certificates from the SSL provider, and install them on your web server.
Types of SSL Certificates
There are three typical types of SSL options you will find when you go out to buy:
- Domain Validated SSL – These are typically the cheapest options and can be obtained and installed on your website within a matter of hours. The validation process usually involved just replying to a validation email.
- Organization Validated SSL – These are typically mid-range in price and can be obtained and installed in 1-3 days in most cases. The validation process usually involves replying to a validation email and answering a validation phone call, as well as verifying your business address.
- Extended Validation SSL (EV SSL) – These are high-end SSL certificates that offer the most rigorous validation process and will give you the green bar with your business name next to your website address in most modern web browsers. It can take a few days to obtain these certificates after ordering. The validation process may involve providing documentation about your business entity and proving business ownership.
If budget is a concern, most organizations will use Domain Validated or Organization Validated SSL certificates as they are cheaper and easier to set up. Most serious e-commerce sites or businesses that want maximum trust with their users will opt for the EV SSL certificates and get the green bar with their business name in the browser.