SSL Certificates: What they are, why you should use one, and how to get one
As security becomes a greater priority for more and more web users, browsers and website owners alike are working to make website security front and center. Find out what an SSL certificate is, why you need one, and how to get one.
Until surprisingly recently, HTTPS, a secure web protocol that uses SSL certificates, was a sort of “special use” case—most people knew to look for the little lock icon in the address bar when buying things online and website administrators made sure it was installed on any page with logins or that asked for credit cards.
Lately, however, there’s been a push led by the developers of the most common web developers to universalize the use of SSL certificates by making the lack of one much more obvious and glaring.
But what is HTTPS? What’s an SSL certificate? Why should you use one? How do you get one?
What is HTTPS?
Trust is one of the key problems of the internet. The ability to communicate instantaneously with virtually anyone across continents and oceans has proven to be tremendously valuable and has fueled a revolution in our society.
But this new way of relating to one another brought with it the problems of bad faith users exploiting the relative anonymity as well as the free and open sharing of information to steal valuable data intended to be communicated only in private to a trusted individual or entity.
HTTPS is a solution to this basic problem.
HTTPS is a secure version of HTTP. HTTP is the rules for transferring website data on the internet. That means everything on webpages you visit, and everything you enter into forms on the website or otherwise communicate back to the website itself (like when you click a link) uses the rules of HTTP to communicate. It’s sort of like a shared language.
The S just means “secure,” so HTTPS is a way to do that without anyone being able to peak at what’s being sent and received. HTTP originally lacked this feature and anyone who could “listen in on” the communications anywhere between your computer and the website server (the computer the website lives on) could see whatever was being sent.
Or the other thing that could happen is someone could insert themselves into the middle of the communication channel, secretly relaying the communications between the website and the website’s visitor without either computer being aware that it wasn’t communicating directly with the other.
That’s how hackers could steal passwords or credit card numbers when entered into forms on pages using HTTP.
HTTPS responds to both of these ways of stealing information by doing two things in particular:
- Authentication: establishing a direct link between a website and the website visitor so that each side knows they are talking who they think they are talking to
- Encryption: ensuring that only the website and the website visitor can read what’s in a given communication by encoding it with a special cipher that only the website visitor and website can (easily) decode
What is an SSL certificate?
You’ve probably used a basic cipher before. Decoder rings and coded messages make good toys and puzzles for the back of children’s menus. But these kinds of messages are easy enough to crack if you know how and you probably wouldn’t want to use a decoder ring to encrypt sensitive data like your credit card number.
No, you would want an unbreakable code, or as close to it as possible.
But then, without providing the cipher to the person or entity you were communicating with, your message wouldn’t be readable on the other end when it got to where you actually did want it to go.
Which is easy enough if you can just give the cipher physically. But that doesn’t get you to being able to buy something from an online store you’ve never been to. If you had to deliver the cipher in person, what would the advantage be to shopping online?
What you need is someway to communicate that cipher over the internet without anybody being able to piece it together by eavesdropping on that process. Seems impossible, right?
Well, it turns out you can do that. With math. We’ll spare you the explanation, but essentially you can use math to make it so that both you, the website visitor, and a website, have separate, secret ciphers that only you know. You can use these ciphers to encrypt a message and send it to the other person and the other person can use their cipher to decode it.
An SSL certificate connects company information to that cipher, or cryptographic key, so that you can be sure that you can trust the website you’re communicating with.
Here’s how it works:
- When you connect to a website, your browser requests that the web server that hosts the website identify itself
- The server sends back a copy of its SSL certificate
- The browser checks the certificate
- The browser confirms with the server that it checked the certificate
- The server returns a digitally signed acknowledgement
- The server starts an “encrypted session”
- Data gets shared back and forth between the browser and the server in this session
In this process, in order to confirm that the SSL certificate belongs to the server in question, the certificate needs to be signed by a Certificate Authority.
This is a select group of providers who take steps to verify that someone requesting an SSL certificate is who they say they are. There are various ways in which this can be validated, and exactly what validation takes place corresponds to the different types of SSL certificates.
How do you get an SSL certificate?
When you purchase an SSL certificate, there are two primary considerations to make.
First, what type of validation do you need? Validation can be very simple, even automatic, to a month-long process of verification of legal documents and public business registration databases.
Here are the basic steps to creating an SSL certificate:
- Choose the size of certificate
- Create the CSR
- Choose the validation method
There are also certificate “sizes” that correspond to how many addresses are covered by a single certificate:
- Single: This certificate size covers a single subdomain of your domain name, and your bare domain (without any subdomain). Most commonly, the subdomain people choose is www.
- Wildcard: Wildcard certificates cover any subdomain of a domain. The name comes from the “wildcard character,” *, which signifies that the character can be replaced with any value, so *.example.com means www.example.com but could also mean foo.example.com, shop.example.com, store.example.com, etc. A Wildcard certificate would cover all of these possibilities.
⚠️ A wildcard certificate covers *.example.com but not *.*.example.com. That is, it covers foo.example.com but not www.foo.example.com, shop.foo.example.com, foo.shop.example.com, or any such domains
- Muli-domain: This covers more than one domain name. You would have to specify which domains it would be for, but you could choose to cover several of your domain, regardless of whether they are connected or related in any way
CSR stands for Certificate Signing Request. This is a file that gets sent to the Certificate Authority (CA) and serves both as the request for the certificate and begins the process of creating your certificate by providing the CA with what it needs in order to “sign” your certificate.
This can be generated automatically if you purchase your SSL certificate from your hosting provider, as is the case if you’re getting an SSL certificate at Gandi for your Simple Hosting instance.
Next, you’ll need to choose your validation method. Here are the types of SSL certificate validation available:
A standard certificate uses a form of automatic verification. This level of verification is intended to verify that the requestor of a certificate also has administrative rights to the domain name, meaning that they can modify the technical configuration of the domain name. There are a few ways to do that:
- DNS verification: the Certificate Authority (or CA) provides a DNS record that the domain owner needs to add to their DNS zone file. The CA issues the certificate once is can verify that the record has been added
- Email verification: the CA sends an email to the email address admin@ for the domain in question that contains a verification link. After the domain owner receives the email and clicks the link, the CA issues the certificate
- File verification: the CA provides a file that the domain owner must upload on their web server. Once the CA can verify the file is present, it can issue the certificate.
A standard validation certificate is good for securing any log in pages on your website, such as an administrative interface on your website or a members-only space, or a webmail service
A Pro certificate adds to the validation in a Standard certificate by adding a warranty in case of a security breach or issue.
As such, if you want to purchase this type of certificate, you need to provide identification documents as an added layer of validation.
Pro certificates are good for sites that conduct any kind of financial transactions, such as e-commerce sites or a customer login area.
Business or Extended Validation (EV)
These certificates are validated the same as Pro certificates but also include verification of your business in public registration documents. It also includes a phone call verification step. All of this is to provide additional verification to your customers.
This type of certificate is right for websites that handle a large amount of highly sensitive data, such as large e-commerce websites and they offer the highest level of protection currently available.
Get an SSL certificate at Gandi
If you’re ready to get your SSL certificate, you can get yours at Gandi today.Tagged in Securityssl