If you’re a web designer or developer, you’ve heard about SSL certificates by now. They’re an important part of the web, and as a web professional, having knowledge of SSL certificate basics is therefore a must.
The web is filled with loads of information on SSL, but most of it is scattered about and hard to find. I’ve put together a list of 10 things web designers and developers should know about SSL certificates. I hope this post answers some of the questions you’ve had but never got around to finding answers for.
1. What is SSL?
SSL, or Secure Sockets Layer is the standard security technology used to create an encrypted connection between a web server and your browser. The encrypted link ensures that all data that is transferred between your browser and the web server stays private and isn’t tampered with by anyone.
2. How SSL works
- When you visit a website, your browser actually establishes a connection with the Web server, using an SSL certificate. Your browser then requests that the Web server identifies itself to begin the SSL session.
- The Web server responds to this request by sending a copy of its SSL certificate to your browser.
- Your browser checks to see whether or not it trusts the SSL certificate, by comparing the certificate to see if it is associated with a trusted Certificate Authority (CA) root. If it is, the browser responds to the Web server.
- The Web server then sends a digitally signed acknowledgement to begin an SSL encrypted session.
- All data shared between your browser and the Web server will be encrypted until you close the browser tab or visit a different website.
3. Encryption levels
When SSL certificates first made a commercial appearance in the 1990s, they offered encryption levels as low as 40-bit and up to 128-bit. These encryption levels were and still are dependent on the website visitor’s computer operating system, browser and the server being connected to.
Advancements such as Server-Gated Cryptography forced a minimum encryption level of 128-bit and up to 256-bit for newer computers.
Today, SSL certificate offer up to 256-bit encryption easily. This is due to advancements in browser security and computer operating systems.
4. SSL certificates prevent man-in-the-middle attacks
Having an SSL certificate installed on your or your client’s website can prevent crippling threats like man-in-the-middle-attacks (MITM).
An MITM attack takes place when a hacker relays and sometimes changes the data being transferred between two parties who believe they are communicating directly with each other. The hacker is then able impersonate either party to whatever end.
SSL certificates prevent MITM attacks because they encrypt data transferred between two points.
5. The CSR
A CSR or certificate signing request is a file generated from the server that hosts a website. It’s used during the enrollment of an SSL certificate and includes information that your CA will need to authenticate before issuing your certificate.
6. Installing an SSL certificate
Your SSL certificate is installed on the server where your site is hosted. The certificate must be installed along with the private key generated when you created your CSR.
The installation process take anywhere from five to 10 minutes. If you’re hosting your client’s site with your hosting company and would rather not install the certificate or generate the CSR, your hosting provider will be able to do both for you.
7. Different validation types of SSL certificates
There are currently three validation types of SSL certificates. Each type is issued based on a certain level of authentication that your CA must complete in order to issue out the SSL certificate.
Domain Validation (DV) SSL certificates
DV certificates are the easiest to get hold of, which is also why they are often used for malicious purposes, such as phishing sites designed to steal sensitive information from unsuspecting website visitors. To get a domain validated SSL certificate you only need to prove that you own the domain, or have the right to use the domain that you want to secure.
Organisation Validated (OV) SSL certificates
OV certificates, or fully authenticated SSL certificates require more vetting. You need to prove that your certificate will be issued to a registered organisation. You must also prove ownership of that domain (or the right to use it).
Extended Validation (EV) SSL certificates
EV SSL is one of the most recent developments in the SSL industry. EV SSL helps website visitors who were not aware of the existence of phishing websites easily spot an untrusted website through the use of visual cues in the URL address bar.
When visiting a website with an EV SSL certificate, the address displays the organisation’s name in a green text within the address bar.
Authentication is where the CA confirms information in your CSR with trusted third party databases. In the case of OV certificates, this involves confirming that your business is a registered entity, while EV certificates require additional vetting, such as a legal opinion letter from your lawyer.
9. Enhanced SSL
These are SSL certificates capable of securing multiple domains and subdomains. They work well in environments that need to be able to manage more than one domain, such as Microsoft exchange where auto-discover is activated, or where a client has many websites associated with subdomains.
10. SSL and your reputation as a web professional
Knowing a little about SSL certificates helps you provide your customers with more value than your competition. Being able to advise them on which option to choose and why will position you as a stronger partner whose interests extend beyond web design and development.
As a web professional, you are also able to join the TrustTheSite Reseller Program, where you can create a revenue stream by reselling SSL certificates along with websites you develop.
SSL certificates are important for website security. They prevent threats such as man-in-the-middle attacks by using encryption, and provide website visitors with peace of mind and the security to share sensitive data online. Web designers and developers with knowledge of SSL certificate basics are able to offer more value to their clients and create stronger relationships and recurring revenue streams as SSL resellers.