Comment, news and views about ServWise and the IT industries in general.
50% off all hosting at servwise

Archive for June, 2008

Got Website, Need SSL

Tuesday, June 24th, 2008

It has always been important when transmitting sensitive data over the Internet that that data is transmitted and stored securely. Secure storage is a subject for another time, but for now I’m going to talk about security during transit which is most commonly achieved on the web using SSL (Secure Socket Layer).

Secure Socket Layer (AKA Transport Layer Security) is an “on the fly” encryption technology that securely encrypts data transmissions through the TCP/IP network.

I won’t go into exactly how SSL works but you can find out much more from our friends at Wikipedia (Link at end). What I will talk about here are the differences between the types of SSL certificate on the market today.

Choosing the right SSL certificate.

Choosing an SSL certificate does not need to be difficult. Firstly lets make things absolutely clear, typically when it comes to the job of securing data, all SSL certificates of the same key size will offer the same security level. If security is your only concern then any low cost SSL (Or even a self-signed one) will secure data to the same level of encryption.

So why should you BUY a certificate if they all do the same job?

The reason for the different types of SSL is nothing to do with security but to do with assurance (Trust). When you buy an SSL from a certificate authority like VeriSign or GeoTrust you are validating your identity on the Internet and providing assurance to your customers that they are dealing with a legitimate business. You should also consider that if you are securing a public website then using an SSL issued by a certificate authority will eliminate the scary browser pop-up message that your visitor would get if you were using a self-signed SSL.

What are Domain Validation, Organisation Validation  and Extended Validation certificates?

These are the main types of SSL and provide different levels of assurance (Trust) to the site visitor.

A Domain validated certificate is where only the domain owner is validated using an email to an address at the domain. It’s simple and fast and you can normally have your certificate in under an hour but provides only the minimum assurance (trust) for the user.

An Organisation validated certificate takes longer as your business or personal identity will be validated as well as the domain and you will normally have to provide proof in the form of authenticated documents etc, this will however mean if a visitor decides to read the details of the SSL certificate in the browser that instead of just mentioning the domain it may also mention the business entity in the certificate details adding more assurance for the visitor, typically these types of SSL will also come with Dynamic Site seals to help the visitor validate your site more easily.

An Extended validation (EV) certificate is a relatively new concept for SSL and is only supported fully in newer web browsers (Internet Explorer 7+, Firefox 3+ etc), in older browsers it works just like a standard organisation validated SSL certificate. However in newer browsers it will also provides a highly visible security indicator by turning the browser address bar green to indicate the site is highly trusted and fully validated and also no need for the visitor to manually view the certificate to validate ownership as the business name  and certificate issuer are clearly displayed in the address bar. These types of certificate are perfect for sites that deal with highly sensitive information like financial or medical data.

Here are some other things you should check before buying an SSL certificate.

What is and do I need a Dynamic site seal?
A dynamic site seal is basically a piece of code provided by the SSL issuer that can be placed on the secure site which when clicked opens the SSL issuers site and shows a page providing information about the SSL certificate and who it is registered too and sometimes the seal itself will display a dynamic graphic or html with the business name on it.  This can add an additional element of  assurance for the visitors of the site.

What is a Wild-card SSL certificate and how do they work?

When you register a standard certificate it is only registered for one “fully qualified” domain, so a registration for “domain.com” will only work for “domain.com”, it won’t work for www.domain.com or “secure.domain.com”, so if you need an SSL to work on www.domain.com you must make sure you generate your CSR for www.domain.com.

A Wild-card SSL certificate works slightly differently and allows you to use the same SSL certificate to secure multiple sub-domains of a domain e.g. www.domain.com or secure.domain.com as well as just domain.com, if you need to secure a lot of sub-domains then this can be a cost effective way to do it.

So in the end which SSL certificate should you purchase?

That question is obviously down to your own personal requirements. A basic domain validated SSL certificate can cost very little. However if you want your customers to have extra assurance (trust) in your website  then the advantages of an organisation validated or extended validation (EV) certificate can out way the costs.

View our low cost SSL certificates here

For more information about SSL in general please visit Wikipedia.