WHAT IS SSL?
SSL stands for “Secure Socket Layer.” It is a technology that establishes a secure session link between the visitor’s web browser and your web site so that all communications transmitted through this link are encrypted and are, therefore, secure.
SSL is also used for transmitting secure email, secure files, and other forms of information.
What is an SSL Certificate?
An SSL Certificate is a digital computer file (or small piece of code) that has two specific functions:
1. Authentication and Verification: The SSL Certificate has information about the authenticity of certain details regarding the identity of a person, business or web site, which it will display to visitors on your web site when they click on the browser’s padlock symbol or trust mark (e.g., the VeriSign (Norton) seal).
The vetting criterion used to determine if an SSL Certificate should be issued is most stringent with an Extended Validation (EV) SSL Certificate; making it the most trusted SSL Certificate available.
Data Encryption: The SSL Certificate also enables encryption, which means that the sensitive information exchanged via the web site cannot be intercepted and read by anyone other than the intended recipient.
2. In the same way that a physical identity document or passport may only be issued by the relevant country’s government officials, an SSL Certificate is most reliable when issued by a trusted Certificate Authority (CA). The CA has to follow very strict rules and policies about who may or may not receive an SSL Certificate. So, when you have a valid SSL Certificate from a trusted CA, there is a higher degree of trust.
HOW DOES SSL ENCRYPTION WORK?
In the same way that you lock and unlock doors and other things using a key, encryption makes use of keys to lock and unlock your information. Unless you have the right key required, you will not be able to “open” the information.
Each SSL session consists of two keys:
- The public key is used to encrypt (jumble up) the information.
- The private key is used to decrypt (un-jumble) the information and restore it to its original format so that it can be read.
The Process: Every SSL Certificate is issued for a specific server and web site domain (web site address) for a CA-verified entity. When a person uses their browser to navigate to the address of a web site with an SSL Certificate, an SSL handshake (greeting) occurs between the browser and server. Information is requested from the server—which is then made visible to the person in their browser. You will notice changes in your browser (for more details, please see “How Do I Know That a Site Has a Valid SSL Certificate?” below).
If you click on the trust mark, you will see additional information such as the validity period of the SSL Certificate, the domain secured, the type of SSL Certificate, and the issuing CA. A secure link is established for that session, with a unique session key, and secure communications can begin.
HOW DO I KNOW THAT A SITE HAS A VALID SSL CERTIFICATE?
- A standard web site without SSL security displays “http:// ” before the web site address in the browser address bar. This moniker stands for “Hypertext Transfer Protocol,” and is the conventional way to transmit information over the Internet.However, a web site that is secured with a SSL Certificate will display “https:// ” before the address. This stands for “Secure HTTP.
- You will also see a padlock symbol on the top or bottom of the Internet browser (depending on which browser you are using).
- Often, you will also notice a trust mark displayed on the web site. Symantec customers use the Symantec® seal trust mark on their web sites. When you click on the VeriSign (Norton) seal or the padlock symbol on the page, it will display details of the relevant certificate with all of the company information as verified and authenticated by the CA.
- By clicking the closed padlock in the browser window, or certain SSL trust marks (such as the VeriSign (Norton) seal), the web site visitor sees the authenticated organization name. In high-security browsers, the authenticated organization name is prominently displayed and the address bar turns green when an Extended Validation (EV) SSL Certificate is detected. If the information does not match, or the certificate has expired, the browser displays an error message or warning.
WHERE WOULD I USE AN SSL CERTIFICATE?
The short answer to this question is that you would use an SSL Certificate anywhere that you wish to transmit information securely and show customers that you are doing just that.
Here are some examples:
- Securing communication between your web site and your customer’s Internet browser.
- Securing internal communications on your corporate intranet.
- Securing email communications sent to and from your network (or private email address).
- Securing information between servers (both internal and external).
- Securing information sent and received via mobile devices.
DIFFERENT TYPES OF SSL CERTIFICATES
There are a number of different SSL Certificates on the market today.
- The first type of SSL Certificate is a self-signed certificate. As the name implies, this is a certificate that is generated for internal purposes and is not issued by a CA. Since the web site owner generates their own certificate, it does not hold the same weight as a fully authenticated and verified SSL Certificate issued by a CA.
- A Domain Validated Certificate is considered an entry-level SSL Certificate and can be issued quickly. The only verification check performed is to ensure that the applicant owns the domain (web site address) where they plan to use the certificate. No additional checks are done to ensure that the owner of the domain is a valid business entity.
- A fully authenticated SSL Certificate is the first step to true online security and confidence building. Taking slightly longer to issue, these certificates are only granted once the organization passes a number of validation procedures and checks to confirm the existence of the business, the ownership of the domain, and the user’s authority to apply for the certificate.
- Even though an SSL Certificate is capable of supporting 128-bit or 256-bit encryption, certain older browsers and operating systems still cannot connect at this level of security. SSL Certificates with a technology called Server-Gated Cryptography (SGC) enable 128- or 256-bit encryption to over 99.9% of web site visitors. Without an SGC certificate on the web server, browsers and operating systems that do not support 128-bit strong encryption will receive only 40- or 56-bit encryption. Users with certain older browsers and operating systems will temporarily step-up to 128-bit SSL encryption if they visit a web site with an SGC-enabled SSL Certificate. For more information about SGC please visit: www.Symantec.com/sgc.
- A domain name is often used with a number of different host suffixes. For this reason, you may employ a Wildcard Certificate that allows you to provide full SSL security to any host of your domain—for example: host.your_domain. com (where “host” varies but the domain name stays constant).
- Similar to a Wildcard Certificate, but a little more versatile, the SAN (Subject Alternative Name) SSL Certificate allows for more than one domain to be added to a single SSL Certificate.
- Code Signing Certificates are specifically designed to ensure that the software you have downloaded was not tampered with while en route. There are many cyber criminals who tamper with software available on the Internet. They may attach a virus or other malicious software to an innocent package as it is being downloaded. These certificates make sure that this doesn’t happen.
- Extended Validation (EV) SSL Certificates offer the highest industry standard for authentication and provide the best level of customer trust available. When consumers visit a web site secured with an EV SSL Certificate, the address bar turns green (in high-security browsers) and a special field appears with the name of the legitimate web site owner along with the name of the security provider that issued the EV SSL Certificate. It also displays the name of the certificate holder and issuing CA in the address bar. This visual reassurance has helped increase consumer confidence in e-commerce.
TECH TALK MADE SIMPLE
Encryption: Information is “jumbled up” so that it cannot be used by anyone other than the person for whom it is intended.
Decryption: “Un-jumble” information and put it back in its original format.
Key: A mathematical formula, or algorithm that is used to encrypt or decrypt your information. In the same way that a lock with many different combinations is more difficult to open, the longer the length of the encryption key (measured in number of bits), the stronger the encryption.
Browser: A software program that you use to access the Internet. Examples include: Microsoft Internet Explorer (IE); Mozilla Firefox, Apple Safari, Flock, and Google Chrome.
Are All SSL Certificates the Same?
The number of businesses that use SSL have increased tremendously over the past few years and the reasons for which SSL is used has also increased, for example:
- Some businesses need SSL to simply provide confidentiality (i.e. encryption)
- Some businesses like to use SSL to add more trust or confidence in security and identity (they want you to know that they are a legitimate company and can prove it)
As the reasons companies use for SSL have become wider, three different types of SSL Certificates have been established:
- Extended Validation (EV) SSL Certificates
- Organization Validation (OV) SSL Certificates
- Domain Validation (DV) SSL Certificates
Extended Validation (EV) SSL Certificates are issued only when a Certification Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA conducts a very THOROUGH vetting (investigation) of the organization. The issuance process of EV Certificates is standardized and is strictly outlined in the EV Guidelines, which was created at the CA/Browser Forum in 2007, specifies the required steps that a CA must do before issuing an EV certificate:
- 1. Must verify the legal, physical & operational existence of the entity
- Must verify that the identity of the entity matches official records
- Must verify that the entity has the exclusive right to use the domain specified in the EV Certificate
- Must verify that the entity has properly authorized the issuance of the EV Certificate
EV Certificates are used for all types of businesses, including government entities and both incorporated & unincorporated businesses. Takes about 10 days to issue.
A second set of guidelines are for the actual CA and it establishes the criteria to which a CA needs to be audited before being allowed to issue an EV Certificate. It is called, the EV Audit Guidelines, and they are always done every year to ensure the integrity of the issuance process.
Organization Validation (OV) SSL Certificates are issued only when a Certification Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA does some vetting (investigation) of the said organization. This additional vetted company info is displayed to customers when the Secure Site Seal is clicked on, this gives enhanced visibility to who is behind the site which in turn gives enhanced trust in the site. Takes about 2 days to issue.
Domain Validation (DV) SSL Certificates are issued when the CA checks to make sure that the applicant actually has the right to the specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. DV certs can be issued immediately.