SSL certificates: What they are and what they’re for

The internet is a wonderful place for many people: freely available information, global communication, unlimited exchange of knowledge. However, not all internet users have good intentions. Time and time again, criminals come up with new methods of retrieving your sensitive data, like e-mail or online banking passwords. To this end, they might set up fraudulent websites similar to those of reputable companies. Unsuspecting users often fall for this scam, unintentionally passing their private data on to criminals. However, harmless sites can also be abused by criminals. If transmissions between you and a website operator’s server is not sufficiently secure, third parties may try to access the data stream.

In order to protect user’s data from this kind of infiltration, standardized SSL certificates have been established. Therefore, a website assures the user (or more precisely: corresponding browser): “your data is safe with us!”

In the meantime, certificates should no longer work with the outdated SSL, but rely on the newer and more secure TLS (transport layer security). However, colloquially SSL certificates are still the most common term when it comes to encryption protocols. The certificate itself is a data record: a file contains a great deal of information like the name of an issuer, the serial number, or even the so-called fingerprint for encryption. Certificates are available in various file formats. If the website operator wants to use a certain certificate, then they need to install it on the server.

To obtain a certificate, website operators need to contact a certification authority. These organizations are entitled to issue an SSL certificate, but usually charge fees for their services. But why can’t everyone just start their own organization? The reason is because browser manufacturers like Microsoft, Mozilla, or Google also need to accept the certificates, otherwise the corresponding certificate does not really benefit you. The software company Symantec also had to deal with this issue: After Google withdrew trust from the software vendor, their certificates are no longer supported by Chrome. As a result, Google browser users no longer receive an encryption icon that indicates a secure data transfer when surfing a website that uses a Symantec certificate.

However, a certificate accepted by browsers is by no means valid forever. Each SSL certificate has an expiry date. If this is reached, the website operator must renew the certificate, otherwise the corresponding pages will no longer be shown as secure. Although regular renewal of certificates can be both time-consuming and costly for website operators, it is still necessary. Only if authentication authorities regularly check the integrity, identity, and encryption mechanisms used, can user security be guaranteed.

There are several ways to encrypt data transfers. Usually, you need a key to encrypt something and the exact same key to make the message readable again. However, this method does not make sense on the internet, because users often make contact with people or organizations that they’ve never communicated with outside of the internet before. Consequently, there is no way to pass a key without first sending it unencrypted through a publicly accessible medium. Therefore, SSL certificates use a different procedure.

In a public-key infrastructure, you don’t just create one key, instead you create two: a completely public and private one. A message is encrypted with the public key and can only be decrypted with the private key. It is then the public key and can only be decrypted with the private key. This key is then received by the browser through the certificate and used for encryption. There are different methods for coding the information. Here, too, the web server provides the browser with the necessary information through the certificate.

For example, AES (advanced encryption standard) with the SHA256 cryptographic hash function is a commonly used encryption method, but the standards change regularly, since both criminals and crypto experts are constantly working to identify the encryption mechanism vulnerabilities.

There are several types of SSL certificates. Although there are different exhibitors with different verification mechanisms, these factors are not decisive criteria. Rather, SSL certificates are differentiated according to, among other things, how thoroughly the applicant’s verification is carried out and how large the certificate’s range is.

There are three types of verification. These differ not just in terms of processing time, but also in terms of associated costs. While domain validation SSL certificates are now available for free, individuals and small businesses are rarely able to meet the cost of extended validation.

Domain validation is the lowest level of SSL certificates: staff verification behind the website address is correspondingly superficial. The authentication authority often only sends an e-mail to the e-mail address specified in the WHOIS entry. For example, the applicant is asked to change a DNS entry or to upload a specific file to his server to signal control of the domain.

The verification process can be fully automated and is therefore not considered safe by many. Some browsers therefore mark a DV SSL certificate separately to point out the lower security standards compared to other certificates. With this form of certificate you will not receive any further information about the website operator.

OV SSL certificates are one level higher in terms of visitor safety. As part of the validation, the certification body requests documents from the website operator – usually after the automated domain validation process has been completed. Which documents they require depends on the exhibition organization, e.g. an extract from the commercial register is sometimes requested. In addition, some authentication authorities contact the website operator by telephone. OV SSL certificates provide internet users with more security, since they closely monitor who is actually running the website in advance. They also offer the advantage of keeping this information visible for every user in the actual certificate himself.

SSL certificates offered by the extended validation label provide the highest level of security. With this type of certificate, the domain and the organization associated with it, and the applicant themselves, are checked. It also checks whether the applicant actually works for the specified organization or company and whether they are entitled to request a certificate. Additionally, the certification body also needs to be authorized to carry out extended validations. To be authorized, the site needs to pass a review by the CA/Browser Forum. This is a voluntary association of certification bodies and browser manufacturers.

A significant factor in choosing an SSL certificate is how expensive it will end up being. Generally speaking, the more advanced the certification is, the more you’ll have to pay for the certificate in the end. Since 2015, Let's Encrypt has even been a SSL-Certificate provider that issues certificates for free.

If it's just a matter of securing a website so that it can be accessed via HTTPS rather than via the usual HTTP, a free certificate fulfils the requirements just as well as a paid certificate. Both solutions use the transfer protocol SSL or TLS and thus make secure data transfer binding for clients and servers.

However, there are several crucial differences between free and paid certificates:

• Validation level: When issuing a certificate, the verification of a website operator is not very extensive - domain validation is the typical level of control here. Certificates with a higher security level are always subject to a fee.
   
• Validity: Most paid certificates are valid for one or two years. Free certificates expire after 90 days at the latest. So if you rely on free SSL/TLS, you will have to exchange the certificate much more often.

Domain affiliation: A free SSL certificate can always be generated exclusively for a single domain to which it is then bound. Paid SSL/TLS solutions also allow cross-domain certificates that can be used for several websites.

Paid SSL offers various advantages over the free alternatives. Paid certificates are valid for longer and - depending on the provider and package - can also be used for several domains. This not only increases flexibility, but also requires much less effort from the website operator. In the event of a problem, the respective providers or certification authorities also provide individual support as standard - a luxury that users of a free SSL Certificate have to do without.

A further advantage of chargeable SSL certificates is that often not only the indication of active HTTPS but also the own company name can be presented in the browser line - as long as you choose the appropriate provider and package.

A paid SSL certificate, which is EV-tested, is without doubt the best form of encryption for your web project. However, this type of certification can only be obtained by larger companies. Cheaper certificates are usually enough for projects in the SME sector. As long as no highly sensitive data is handled - online banking is an example of a company handling sensitive data. For smaller projects where the transfer of personal data plays little to no role at all, free SSL certificates are a good alternative to the paid-for offers. In this case you’ll have a bit more admin on your hands but fewer outgoing costs.

When you apply for an SSL certificate, you should pay attention to how far it goes – including whether, for example, subdomains fall under the certificate.

A normal certificate is only valid for a single domain. This means that “www.example.com” and all subpages of this website are covered by the same SSL certificates, but their subdomains are not. If you need your subdomains to be covered too, then you need to apply for another certificate or purchase a wildcard certificate.

Some certificates have this title since they work with a wildcard. Instead of entering “www.example.com,” for example, these SSL certificates also apply to all subdomains – i.e. also to “mail.example.com” or “blog.example.com.” They are issued in the form “*.example.com.” The asterisk symbolizes the wildcard.

Multi-domain certificates (also called SAN certificates) extend far beyond the reach of single name or wildcard certificates. Many certification bodies offer their customers certificates covering up to 100 domains. For example, applicants with only one certificate can secure both “www.example.com” and “www.example.org.” This is possible if you use a subject alternative name extension – an additional field in the certificate that contains all other domains.

If the website you are on does not have a validated SSL certificate, there will be no green lock or “https://”in the address bar. In addition, some browsers warn users on these websites when they attempt to transmit passwords or other sensitive data to the server. The program then alters them so that their data won’t be intercepted by strangers.