What is an SSL certificate?
It is a file that contains a cryptographic key capable of encrypting messages that pass through a network. This is installed on your web server, usually Apache or IIS. Thus, Web browsers immediately recognize that it is a valid certificate (issued by a Certificate Authority (CA) recognized worldwide) and communication can be encrypted.
What is a certificate authority (CA)?
The simplest explanation is that it is a trusted third party,
that is, they are companies that are dedicated to certifying
people and companies on the Internet.
Let's expand the explanation, normally one accesses products and services on the web pages of local companies that we know even physically, we have been in their offices or they have been operating in our city or country for years, therefore, we are able to enter data, buy or pay no major trust issues with those websites.
But what happens when you have to do it in another city, country or even continent? How to know that this website is reliable? How to know that this website belongs to the company that it claims to be? Who could we ask if we can trust that website?
For this there are the certifiers that do the verification work for us and deliver an SSL Certificate to those companies so that they can install it on their website and can prove who they are on the Internet.
What is the function of an SSL certificate?
The SSL certificate has 2 functions:
- Encrypt the channel between the web browser and
the server: By default communication on the
internet is not encrypted, when you browse web pages you
do so through a series of (generally trustworthy)
third-party servers. Problems arise when those third
parties are not trustworthy (they were hacked or the
third party is definitely no longer trustworthy) and
their unencrypted data is read and stored by a
cybercriminal. This is aggravated if these data are
users, passwords, credit card numbers, among others. A
second quite frequent case is that users connect from
any free Wi-Fi, this again implies that someone can
easily read their unencrypted information.
- To identify the website: as we have
already explained, the SSL certificate is a third-party
certificate that confirms that this site belongs to a
company, for this authentication the SSL certificate
gives us different levels of trust in that company,
depending on whether the certificate is DV, OV or EV
(which we will explain later).
How does an SSL certificate work?
In the same way that you lock and unlock doors with a key,
encryption makes use of keys to lock and unlock your
information. Unless you have the correct key, you will not
be able to "open" the information.
Each SSL session consists of two keys:
- The public key: which is used to encrypt (encode) the information.
- The private key: which is used to decrypt (decode) the information and restore it to its original format so that it can be read.
The process: each SSL certificate issued by a certification
authority (CA), is issued for a specific server and website
domain (ex: www.infraseg.com). When a person uses their
browser to go to a website address with an SSL certificate,
an SSL handshake occurs between the browser and the server.
Information is requested from the server, which is then made
visible to the person in their browser
Graphically between the browser and the server this occurs:
Do I need an SSL certificate for my website?
since you cannot control where your users access
from, you must have a secure channel with your
server, even if they connect from non-secure
networks, you must always try to protect the
information they enter.
In addition, you must give these external users the confidence that your page is really the real Web and not an attempt at fraud or impersonation.
What are DV, OV and EV SSL Certificates?
The difference lies in the level of validation that each of them offers us, not all of them provide the same level of depth in the validation of who is the company behind a certain website.
- DV (Domain Validation): The certifier only certifies that the applicant is the owner of that domain, this type of certificate only serves us to encrypt since the level of validation is very low and does not provide more information about the company behind it. The validations made by the certifiers are automatic and therefore their price is low since there are no higher associated costs.
- OV (Organization Validation): The certification authority (CA) is capable of validating the domain and also validates that there is a company behind it. This already gives us a much higher level of trust, since a third party verified that it is a real company. Since there is a manual validation process by the certifier (including a phone call in many cases), the certificate is more expensive.
- EV (Extended Validation): For a green bar EV certificate, the Certificate Authority (CA) confirms that the company owns the domain, that there is a company behind that domain, that the company is real, and that they know 2 people who They work within that company. With this level of knowledge, the certifier has the confidence to issue an EV certificate or green bar that allows the company to access the highest level of trust on the Internet. Browsers recognize this status and activate a green bar that indicates the name of the company or the trade name of the creditor organization of that domain.
In general, this certificate is recommended for all websites, but due to the extensive validation process behind it, the cost is higher and sometimes prohibitive for companies that are just starting out. As in general, common users understand little or nothing about an SSL certificate, the green bar certificate gives them a different visual confidence, since they are used to seeing this green bar when entering the pages of banks or e-commerce sites, and they feel safe. In short, EV certificates are the current highest standard for trust on the Internet.
What type of SSL Certificates to buy? DV, OV and EV?
This answer mainly depends on your
budget, since from what we have
learned, the recommended certificate
for any web page is an EV
If you have a limited budget you should analyze the structure of your site, for example, if you have "www.mysite.com" without subdomains, you can install a DV, OV or EV SSL certificate of the brand that best suits your budget . Instead, if you have many subdomains, for example:
- www.mysite.com (note that the www is a subdomain of the mysite.com domain)
In this case, if you buy EV or OV
certificates individually, the cost
will be high, since you will have to
buy 6 certificates. In this type of
structure with a limited budget you
should use only one Wildcard
certificate, which covers
*.site.com. Wildcard certificates
can be DV or OV (if we need the
green bar we should choose a
Multidomain certificates that are generally used when we have at most 1 domain with 4 subdomains and we want a green bar on all of them. This SSL certificate is widely used to cover the structure of Exchange, for example:
What brand of SSL Certificates to choose?
Infraseg as a security company is agnostic to brands, of course we represent the ones that give us the most confidence and that, based on our experience, have been more robust and have the best price-quality ratio for our clients. If you want to know the ranking of the largest certifiers worldwide, you can find it here: https://w3techs.com/technologies/history_overview/ssl_certificate/ms/q
Being agnostic we can offer Digicert (with all its sub-brands including Geotrust, Thawte and RapidSSL), Sectigo or Globalsign certificates.