What is an SSL certificate?
It is a file that contains a cryptographic key capable of encrypting messages that pass through a network. This is installed on your web server, usually Apache or IIS. Thus, Web browsers immediately recognize that it is a valid certificate (issued by a Certificate Authority (CA) recognized worldwide) and communication can be encrypted.
What is a certificate authority (CA)?
The simplest explanation is that it is a trusted third party,
that is, they are companies that are dedicated to certifying
people and companies on the Internet.
Let's expand
the explanation, normally one accesses products and services
on the web pages of local companies that we know even
physically, we have been in their offices or they have been
operating in our city or country for years, therefore, we
are able to enter data, buy or pay no major trust issues
with those websites.
But what happens when you have
to do it in another city, country or even continent? How to
know that this website is reliable? How to know that this
website belongs to the company that it claims to be? Who
could we ask if we can trust that website?
For this
there are the certifiers that do the verification work for
us and deliver an SSL Certificate to those companies so that
they can install it on their website and can prove who they
are on the Internet.
What is the function of an SSL certificate?
The SSL certificate has 2 functions:
- Encrypt the channel between the web browser and
the server: By default communication on the
internet is not encrypted, when you browse web pages you
do so through a series of (generally trustworthy)
third-party servers. Problems arise when those third
parties are not trustworthy (they were hacked or the
third party is definitely no longer trustworthy) and
their unencrypted data is read and stored by a
cybercriminal. This is aggravated if these data are
users, passwords, credit card numbers, among others. A
second quite frequent case is that users connect from
any free Wi-Fi, this again implies that someone can
easily read their unencrypted information.
- To identify the website: as we have
already explained, the SSL certificate is a third-party
certificate that confirms that this site belongs to a
company, for this authentication the SSL certificate
gives us different levels of trust in that company,
depending on whether the certificate is DV, OV or EV
(which we will explain later).
How does an SSL certificate work?
In the same way that you lock and unlock doors with a key,
encryption makes use of keys to lock and unlock your
information. Unless you have the correct key, you will not
be able to "open" the information.
Each SSL session
consists of two keys:
- The public key: which is used to encrypt (encode) the information.
- The private key: which is used to decrypt (decode) the information and restore it to its original format so that it can be read.
The process: each SSL certificate issued by a certification
authority (CA), is issued for a specific server and website
domain (ex: www.infraseg.com). When a person uses their
browser to go to a website address with an SSL certificate,
an SSL handshake occurs between the browser and the server.
Information is requested from the server, which is then made
visible to the person in their browser
window.
Graphically between the browser and the
server this occurs:
Do I need an SSL certificate for my website?
Always,
since you cannot control where your users access
from, you must have a secure channel with your
server, even if they connect from non-secure
networks, you must always try to protect the
information they enter.
In addition, you
must give these external users the confidence
that your page is really the real Web and not an
attempt at fraud or impersonation.
What are DV, OV and EV SSL Certificates?
The difference lies in the level of validation that each of them offers us, not all of them provide the same level of depth in the validation of who is the company behind a certain website.
- DV (Domain Validation): The certifier only certifies that the applicant is the owner of that domain, this type of certificate only serves us to encrypt since the level of validation is very low and does not provide more information about the company behind it. The validations made by the certifiers are automatic and therefore their price is low since there are no higher associated costs.
- OV (Organization Validation): The certification authority (CA) is capable of validating the domain and also validates that there is a company behind it. This already gives us a much higher level of trust, since a third party verified that it is a real company. Since there is a manual validation process by the certifier (including a phone call in many cases), the certificate is more expensive.
- EV (Extended Validation): For a green bar EV certificate, the Certificate Authority (CA) confirms that the company owns the domain, that there is a company behind that domain, that the company is real, and that they know 2 people who They work within that company. With this level of knowledge, the certifier has the confidence to issue an EV certificate or green bar that allows the company to access the highest level of trust on the Internet. Browsers recognize this status and activate a green bar that indicates the name of the company or the trade name of the creditor organization of that domain.
For example:
Chrome
Internet Explorer
In general, this certificate is recommended for all websites, but due to the extensive validation process behind it, the cost is higher and sometimes prohibitive for companies that are just starting out. As in general, common users understand little or nothing about an SSL certificate, the green bar certificate gives them a different visual confidence, since they are used to seeing this green bar when entering the pages of banks or e-commerce sites, and they feel safe. In short, EV certificates are the current highest standard for trust on the Internet.
What type of SSL Certificates to buy? DV, OV and EV?
This answer mainly depends on your
budget, since from what we have
learned, the recommended certificate
for any web page is an EV
certificate.
If you have a
limited budget you should analyze
the structure of your site, for
example, if you have
"www.mysite.com" without subdomains,
you can install a DV, OV or EV SSL
certificate of the brand that best
suits your budget . Instead, if you
have many subdomains, for example:
- www.mysite.com (note that the www is a subdomain of the mysite.com domain)
- portal.mysite.com
- mail.mysite.com
- intranet.mysite.com
- extranet.mysite.com
- ftp.mysite.com
In this case, if you buy EV or OV
certificates individually, the cost
will be high, since you will have to
buy 6 certificates. In this type of
structure with a limited budget you
should use only one Wildcard
certificate, which covers
*.site.com. Wildcard certificates
can be DV or OV (if we need the
green bar we should choose a
Multidomain SSL
certificate)
Multidomain
certificates that are generally used
when we have at most 1 domain with 4
subdomains and we want a green bar
on all of them. This SSL certificate
is widely used to cover the
structure of Exchange, for example:
- autodiscover.mysite.com
- mail.mysite.com
- owa.mysite.com
- www.mysite.com
What brand of SSL Certificates to choose?
Infraseg as a security company is agnostic to brands, of course we represent the ones that give us the most confidence and that, based on our experience, have been more robust and have the best price-quality ratio for our clients. If you want to know the ranking of the largest certifiers worldwide, you can find it here: https://w3techs.com/technologies/history_overview/ssl_certificate/ms/q
Being agnostic we can offer Digicert (with all its sub-brands including Geotrust, Thawte and RapidSSL), Sectigo or Globalsign certificates.