What is an SSL certificate?
It is a file that contains a cryptographic key capable of encrypting messages that pass through a network. This is installed on your web server, usually Apache or IIS. Thus, Web browsers immediately recognize that it is a valid certificate (issued by a Certificate Authority (CA) recognized worldwide) and communication can be encrypted.
What is a certificate authority (CA)?
The simplest explanation is that it is a trusted third party,
that is, they are companies that are dedicated to certifying
people and companies on the Internet.
Let's expand
the explanation, normally one accesses products and services
on the web pages of local companies that we know even
physically, we have been in their offices or they have been
operating in our city or country for years, therefore, we
are able to enter data, buy or pay no major trust issues
with those websites.
But what happens when you have
to do it in another city, country or even continent? How to
know that this website is reliable? How to know that this
website belongs to the company that it claims to be? Who
could we ask if we can trust that website?
For this
there are the certifiers that do the verification work for
us and deliver an SSL Certificate to those companies so that
they can install it on their website and can prove who they
are on the Internet.
What is the function of an SSL certificate?
The SSL certificate has 2 functions:
- Encrypt the channel between the web browser and
the server: By default communication on the
internet is not encrypted, when you browse web pages you
do so through a series of (generally trustworthy)
third-party servers. Problems arise when those third
parties are not trustworthy (they were hacked or the
third party is definitely no longer trustworthy) and
their unencrypted data is read and stored by a
cybercriminal. This is aggravated if these data are
users, passwords, credit card numbers, among others. A
second quite frequent case is that users connect from
any free Wi-Fi, this again implies that someone can
easily read their unencrypted information.
- To identify the website: as we have
already explained, the SSL certificate is a third-party
certificate that confirms that this site belongs to a
company, for this authentication the SSL certificate
gives us different levels of trust in that company,
depending on whether the certificate is DV, OV or EV
(which we will explain later).
How does an SSL certificate work?
In the same way that you lock and unlock doors with a key,
encryption makes use of keys to lock and unlock your
information. Unless you have the correct key, you will not
be able to "open" the information.
Each SSL session
consists of two keys:
- The public key: which is used to encrypt (encode) the information.
- The private key: which is used to decrypt (decode) the information and restore it to its original format so that it can be read.
The process: each SSL certificate issued by a certification
authority (CA), is issued for a specific server and website
domain (ex: www.infraseg.com). When a person uses their
browser to go to a website address with an SSL certificate,
an SSL handshake occurs between the browser and the server.
Information is requested from the server, which is then made
visible to the person in their browser
window.
Graphically between the browser and the
server this occurs:
Do I need an SSL certificate for my website?
Always,
since you cannot control where your users access
from, you must have a secure channel with your
server, even if they connect from non-secure
networks, you must always try to protect the
information they enter.
In addition, you
must give these external users the confidence
that your page is really the real Web and not an
attempt at fraud or impersonation.
What are DV, OV and EV SSL Certificates?
The difference lies in the level of validation that each of them offers us, not all of them provide the same level of depth in the validation of who is the company behind a certain website.
- DV (Domain Validation): The certifier only certifies that the applicant is the owner of that domain, this type of certificate only serves us to encrypt since the level of validation is very low and does not provide more information about the company behind it. The validations made by the certifiers are automatic and therefore their price is low since there are no higher associated costs.
- OV (Organization Validation): The certification authority (CA) is capable of validating the domain and also validates that there is a company behind it. This already gives us a much higher level of trust, since a third party verified that it is a real company. Since there is a manual validation process by the certifier (including a phone call in many cases), the certificate is more expensive.
- EV (Extended Validation): For a green bar EV certificate, the Certificate Authority (CA) confirms that the company owns the domain, that there is a company behind that domain, that the company is real, and that they know 2 people who They work within that company. With this level of knowledge, the certifier has the confidence to issue an EV certificate or green bar that allows the company to access the highest level of trust on the Internet. Browsers recognize this status and activate a green bar that indicates the name of the company or the trade name of the creditor organization of that domain.
For example:
Chrome
Internet Explorer
In general, this certificate is recommended for all websites, but due to the extensive validation process behind it, the cost is higher and sometimes prohibitive for companies that are just starting out. As in general, common users understand little or nothing about an SSL certificate, the green bar certificate gives them a different visual confidence, since they are used to seeing this green bar when entering the pages of banks or e-commerce sites, and they feel safe. In short, EV certificates are the current highest standard for trust on the Internet.
What type of SSL Certificates to buy? DV, OV and EV?
This answer mainly depends on your
budget, since from what we have
learned, the recommended certificate
for any web page is an EV
certificate.
If you have a
limited budget you should analyze
the structure of your site, for
example, if you have
"www.mysite.com" without subdomains,
you can install a DV, OV or EV SSL
certificate of the brand that best
suits your budget . Instead, if you
have many subdomains, for example:
- www.mysite.com (note that the www is a subdomain of the mysite.com domain)
- portal.mysite.com
- mail.mysite.com
- intranet.mysite.com
- extranet.mysite.com
- ftp.mysite.com
In this case, if you buy EV or OV
certificates individually, the cost
will be high, since you will have to
buy 6 certificates. In this type of
structure with a limited budget you
should use only one Wildcard
certificate, which covers
*.site.com. Wildcard certificates
can be DV or OV (if we need the
green bar we should choose a
Multidomain SSL
certificate)
Multidomain
certificates that are generally used
when we have at most 1 domain with 4
subdomains and we want a green bar
on all of them. This SSL certificate
is widely used to cover the
structure of Exchange, for example:
- autodiscover.mysite.com
- mail.mysite.com
- owa.mysite.com
- www.mysite.com
What brand of SSL Certificates to choose?
Infraseg as a security company is agnostic to brands, of course we represent the ones that give us the most confidence and that, based on our experience, have been more robust and have the best price-quality ratio for our clients. If you want to know the ranking of the largest certifiers worldwide, you can find it here: https://w3techs.com/technologies/history_overview/ssl_certificate/ms/q
Being agnostic we can offer Digicert (with all its sub-brands including Geotrust, Thawte and RapidSSL), Sectigo or Globalsign certificates.
Why do different brands of SSL certificates have different prices?
As we have explained before, SSL certificates all do the same thing. The factors that influence the price are:
- Validation Level:The DV is cheaper because there are no people validating behind it, while the OV and EV require more and more processing from the validation team.
- Brand:Although the certificates do the same thing, a recognized brand always gives us more confidence than a brand that we do not know. Several car brands allow us to take a trip through South America, but if we could choose brands without worrying about the price, I assure you that we would choose the one with which we feel more confident or that we have heard are better.
- Type of certificate: Wildcard and Multidomain certificates are more expensive because they cover a greater number of subdomains or domains.
- Speed in validation: if the brand has a faster team to validate a certificate, it is because they have put more resources into it, and if so, they will charge us for those resources.
- Guarantees: the certifiers give guarantees that their certificate will never be violated, if this happens they would pay the client a certain sum of money. There are certificates that do not have guarantees and others that reach, in the case of Comodo EV, up to 2 million dollars per certificate. In a nutshell, the CA does it to demonstrate the robustness of its certificate. The higher the guarantees they give us, the more expensive the certificate is, but also the more confidence it gives us to use it.
- Support: in general, brands leave personalized support to their distributors, the same happens with SSL sales portals that can often sell cheaper than their local distributor (especially due to the volume traded) but that the support is either English or through tickets without a clear SLA. Now let's hope you'll excuse the self-reference, but at Infraseg we realized a long time ago that here lies a fundamental point to differentiate our products from other competitors. Explaining to a client what the exact certificate they need has earned us exponential growth in our client portfolio in Chile and Latin America. Although the price is always important, adequate support, "not leaving alone" that sysadmin who sees this process once a year, is what customers seek and appreciate above all else. In addition, we help in the installation of the certificate.
Other differentiators that certifiers offer that are not directly related to the SSL certificate as such are:
- Multi-server: do not charge extra for installing the same certificate on several servers, Digicert, for example, charges for doing so, although any user can export and import the certificate, the guarantee of the certificate is canceled in case it is violated. In the case of Sectigo, the certificates are Multiserver.
- Administration platforms: for clients with more than 5 SSL certificates on their platforms, it is advisable to have an administration platform so that they can control the entire life cycle of the certificates and anticipate expirations and renew them in advance. The certifiers generally offer them free of charge.
- Vulnerability assessment and malware detection: this is an additional service offered by certifiers, each one has implemented it in a different way, this is not a quality of the certificate, but rather an extra service and free of charge by the brand.
- Support: Although a license is sold, distribution companies such as Infraseg help customers install their certificate so that they are fully operational. We believe that this is the great differentiator, since, from our experience, clients value above all things someone who explains what they offer and can support the client in investing their money in a certificate that is suitable for their platforms. and then help them to install it in the right way.