A great deal takes place online now that requires the exchange of personal information. Sites that regularly ask for web payments or other personal information should take extra measures to keep this data safe. In this article, we explain what an SSL is, how it works, how to check for an SSL, how to get one and the difference between an SSL and a TLS.
What is an SSL?
SSL, which stands for Secure Sockets Layer, is a protocol that establishes an encrypted and authenticated link between a web browser and a web server. This means that if anyone were to try to intercept this data, it would only come through as a jumbled mix of characters, making it almost impossible to decrypt. The purpose is to keep all data exchanged between the web browser and server secure and private. When a site asks for a user’s personal information, like payment information or an email address, it should have an SSL certificate.
How does an SSL work?
An SSL certificate encrypts data exchanged online to give users a high degree of privacy by initiating a handshake, or authentication process, between two devices that are trying to communicate through the use of a keypair, which consists of a public key and a private key. The private key is kept secret and secure, while the SSL certificate widely distributes the public key.
When a browser connects to a site or web server secured with an SSL, the browser prompts the server to identify itself. The server then responds by sending a copy of its certificate, which includes its public key. The browser checks that the certificate is unrevoked, unexpired and present on a list of trusted certificate authorities. A certificate authority is a publicly trusted entity that verifies identities, binds them to cryptographic key pairs and issues digital certificates.
If the certificate is deemed trustworthy, the browser develops, encrypts and transfers a symmetric session key with the server’s public key. After the server receives the symmetric session key, it uses its private key to decrypt it and then uses the session key to send back an encrypted acknowledgment. All data from both the server and browser is then encrypted and sent with the session key.
This process is meant to verify that both of the communicating devices are who they say they are. Once data is transferred, SSL also gives it a digital signature to give the data integrity and verify that it has been unaltered before reaching the intended recipient.
How to check your SSL
You can check to see the SSL status of your or someone else’s site by using three basic methods:
1. Check the URL
You can often tell if a website has an SSL certificate by checking the URL. While some URLs start with http: others begin with https:. That extra “s” signals that the website is encrypted and secure through SSL technology.
2. Look for a padlock
Aside from the URL, web browsers often indicate whether a site is using SSL by displaying a padlock in the address bar before the URL, while the address bar for unencrypted sites may say “not secure.”
3. Get a security overview
Though rare, a site may have a padlock and the “s” in the URL, but the SSL certificate could still have expired, meaning that the connection is actually unsecured. It’s worth checking to ensure the certificate is still valid, especially if the site is requesting a lot of personal information.
To check on a Chrome browser, click View in the menu bar, then Developer and finally Developer Tools. After that, find and click on the Security tab. This displays a Security overview, telling you whether the page is secure, the certificate is valid, the connection is secure and the resources are served securely. If you’d like more information, you can click “View certificate” to find out the exact date the SSL certificate is valid through.
How to get an SSL
If you need to get an SSL certificate for a website, you can follow these simple steps:
Update your WHOIS record.
Get a CSR.
Determine what kind of certificate you need.
Submit your CSR to a certified authority.
Install the certificate.
1. Update your WHOIS record
Certificate authorities use the WHOIS database to verify the owner or registered user of a domain name. Before you purchase an SSL certificate, log in to make sure the correct ownership information is listed, including the company name, address, email address and phone number.
2. Get a CSR
A certificate signing request (CSR) is a block of encoded text generated by your server. It contains key information that is included in the certificate, a private key and a public key. The steps necessary for generating the CSR vary depending on your server.
3. Determine what kind of certificate you need
You can pick the SSL certificate that’s best for your site based on the number of domains, validation and organization. Some different types of certifications are:
Single Domain SSL Certificate: This certificate only protects one domain, meaning that subdomains are left unsecured.
Unified Communications (UCC) SSL Certificate: Sometimes referred to as multi-domain SSL certificates, UCCs protect a single owner’s multiple domains under the same certificate. A UCC can cover as many as 100 domain names and displays a padlock in the address bar for verification.
Wildcard SSL Certificate: These certificates allow you to purchase one certificate to cover one domain and its subdomains.
Domain Validation (DV) Certificate: You may be able to receive faster and more cost-effective protection from a DV certificate. This certificate only offers a low level of encryption, though, because you’re unable to find out who is receiving your encrypted information. A green padlock appears in the address bar for sites with a DV certificate. Additionally, subdomains are left unsecured with a DV certificate.
Organization Validated (OV) SSL Certificate: You can obtain a moderate level of encryption with an OV certificate. You obtain these certificates in just two steps and they typically cost a bit less than other certificates. Just like with a DV certificate, a green padlock verifies a site is encrypted with this type of certificate.
Extended Validation (EV) SSL Certificate: These may be the most expensive SSL certificates available, but they also very clearly show your domain’s legitimacy in the address bar with a HTTPS URL, the business name, the country and a padlock. This type of certificate is recommended for sites that need identity assurance because they collect data or process web payments.
4. Submit your CSR to a certified authority
There are quite a few certified authority (CA) options out there. Once you pick one, you should purchase the certificate you need and submit the necessary information.
5. Install the certificate
Once the CA verifies your identity, they should generate and issue a signed certificate for you to install on your web server.
SSL vs. TLS
A TLS, or Transport Layer Security, is essentially an updated version of an SSL. Aside from the difference in name and a few updates, SSL and TLS protocols are closely related. In fact, the names are often confused and used interchangeably.
Though they are similar, the SSL protocol was last updated in 1996, which has made it more vulnerable than the up-to-date TLS encryption protocol. Because of this, many experts suggest switching to TLS, and most web browsers are unable to support SSL entirely. The prominence of the SSL name has made it a bit confusing when shopping for an online security solution. Most of the time, when you see or hear someone talking about SSL encryption, they are actually referring to TLS protection.