Blog

SSL certificate for a website: what, why and where

SSL certificate for a website: what, why and where
Nastya Kuznetsova
Content manager

Browsers tend to express their dislike for websites without SSL — «insecure», search engines lower them in results. Why so serious? It’s because an SSL certificate guarantees users’ security, and scammers won’t be able to steal confidential information if the website has it.

Why you should protect your data

On the Internet, much like in real life, there are ‘bad guys" who can steal important information — any data you leave on websites. Be it order data, private messages, and records, or super confidential data that is more than unpleasant to lose.

For example, a passport scan — if a hacker gets a hold of it, they will be able to use it in criminal schemes: from a microloan to a one-day company or a contract of sale for a third-party. Or a bank card’s CVC-code: a hacker gets unlimited access to the account along with it.

There are at least two ways to steal data:

Guess a login and a password and intrude on the website database.
It’s easy to protect yourself from this: you can come up with the strongest password possible, use two-factor authorization, track sessions. Generally, setting up a stronger password is enough.

Intercept data that the website visitor enters and sends.
All a hacker has to do is get access to the information flow between the user’s browser and the website. The only way to protect data from interception is to encrypt it. Even if a hacker gets access to it, he/she won’t be able to use it. Data is encrypted with the HTTPS-protocol or an SSL certificate.

What are HTTPS and SSL and how do they work?

HTTPS is an extension for a data transfer protocol, HTTP. They usually just say HTTP-protocol, it uses the «client-server» (browser-website) technology:

HTTP. Browser: Here’s my password, Server: Here’s your page

A page is just an example, any action online goes the same way — by the rules dictated by the HTTP-protocol. The problem is that the rules it dictates aren’t strict enough. It just sends open requests back and forth. They are easy to intercept and people have been thinking of such connection’s vulnerability since the ’90s.

HTTP, hacker intercepted the password

In 1994, the Netscape Communications company developed an HTTPS extension or HyperText Transfer Protocol Secure — a secure data transmission protocol. At first, only the Netscape Navigator browser supported it. Today, it’s a standard for every browser out there.

The extension works the same way as the regular HTTP does only with blackjack data encryption. It’s possible thanks to an SSL certificate.

An SSL certificate is a kind of «website ID», it contains:

  • Information about the website (a domain) and its owner (location, if the owner is an organization — its legal data).
  • Certificate validity and certification center data. Such centers are authoritative international organizations, there’s a list of them in every browser.
  • A data encryption key.

Thanks to the information an SSL certificate contains, a browser is able to identify that it’s an actually required website in front of it and encrypt the data using the certificate key.

HTTPS

Encrypted information can still be intercepted but can’t be used. A key is required to decrypt it, only the website owner has one. It’s almost impossible to guess it. No, it’s really impossible.

Here’s what a website without an SSL certificate looks like:
A website without an SSL-certificate

And here’s a website with an SSL, there’s a lock beside the website address. If you click on it and then click on «Certificate», you can read detailed information about the certificate: who it was issued to and by, its validity.A website with an SSL

What an SSL gives in practice

It may seem that only large banks and organizations that keep the government confidential information and extraterrestrial technologies secret need data protection. It’s not like that. It’s profitable to get an SSL certificate for any website as it provides the following:

Full-fledged data protection — your data, as well as data of your clients and visitors. If you have an online store and accept cards for payment, you sell or offer a free newsletter, let your users have accounts, publish info or chat on your website, then use an SSL certificate.

User trust. The HTTPS-protocol has been associated with enhanced data protection for a long time. People will be more willing to visit your website, buy your goods and pay for your services, store their data and content. Advanced users pay their attention to SSL certificates and they are the most active visitors and customers.

SEO-promotion possibilities. Back in 2014, Google declared that websites with a secure connection will be placed higher in the search results. Different studies show that this is indeed the case. For example, in 2016, the founder of a popular website on SEO-promotion Backlinko analyzed 1 million Google search results. He came to the conclusion that most domains with SSL certificates are on the first three pages: 25-28%.

SSL certificate and HTTPS-protocol are becoming a standard. No matter what website you create: you are still going to need a certificate.

How to choose an SSL certificate for a website

First, let’s figure out what kind of certificate you certainly don’t need.

Untrusted SSL certificates

A certificate from untrusted certification centers. For example, the Symantec center is considered untrusted since March 2018. At first, it released certificates without owners’ requests. And then Google noticed that four third-party companies had been issuing certificates under Symantec name.

An expired certificate. Recently, you could buy a certificate that was valid for three, four and even ten years — now two years is the maximum. It was a demand of CA/B Forum — a regulatory authority in the SSL industry. This action was taken to ensure users’ security — once a certificate gets reissued, it receives security updates. It means that the more often the reissue happens, the more reliable a certificate is.

A self-signed certificate is the one the owner issued to himself or herself. It’s possible and it’s not too difficult. Such an SSL also creates a protected connection encrypting data but it doesn’t confirm the domain. That’s why browsers don’t recognize self-signed certificates: they don’t know who released the key and whether it can be trusted. It may be a website owner or a hacker disguising their website as a secure one.

Self-signed certificates have the right to exist: in local networks, on corporate portals and any other websites that are used by a limited number of people.

If a website uses an untrusted certificate, it can be seen right away.

A website with an expired certificate in Google Chrome and Mozilla FirefoxA website with an expired certificate in Mozilla Firefox and Google Chrome

A user will see this and probably leave the page. But if they trust the website, they can add its certificate to the trusted ones in their browser. They won’t receive any warning messages then.

Trusted SSL certificates

This is what you need. Trusted certificates are usually issued by trusted certification centers. These are authoritative international organizations, you can find a list of them in browser’s settings in the «Trusted root certification authorities» section.

To receive a trusted certificate, all you have to do is fill out an application, specify your personal data and wait a little bit. An authority will check your info and send a certificate to your email. How long you will have to wait, what data you need to send and what you are going to receive in the end — it all depends on the type of the certificate:

DV SSL — with domain check
The simplest certificate. It provides a secure connection and shows users that you own the domain. It will be alright for a promotional website, a blog or a forum with registration — a website where you don’t need to leave any confidential information and make purchases.

There are free DV-certificates from Let’s Encrypt. They are as good as the paid ones but they require regular updates. Vepp updates Let’s Encrypt automatically and releases it too — if the domain is assigned to a server.

OV SSL — with an organization check
It’s like DV but with an organization. It provides a secure connection, confirms your right for a domain and the fact that your organization actually exists. It will be good for websites where users leave their confidential data and make purchases. It won’t be enough for new and large businesses thoug.

EV SSL — with company activity check
The EV-certificate can only be issued to a legal entity. Along with it, an entity receives a secure connection to a website, confirmation for a domain right, for the fact that your organization exists and its activity is legal. Everything for the maximum users’ trust.

The EV-certificate used to look differently — there was a company name beside a lock. Some browsers still have it that way but generally, you can see the name of the company in a drop-down menu if you click on a lock.

A website with an EV-certificate in Mozilla Firefox and Google ChromeThe company name was removed from Google Chrome in September 2019, Mozilla Firefox is planning to do the same in October.

The EV-certificate will come in handy to a large company, an online store, a bank, a fund, or a state organization. The EV will provide a new unknown company with maximum trust. And besides, it’s just a bit shameful for a large famous organization to get by with the OV.

Multidomain certificate
If you want to create a huge social network, a mail server, a virtual marketplace or a corporate resource network, it’s a good choice. It will allow you to protect several websites or subdomain pages simultaneously.

The number of available domain names depends on the certification center conditions and the cost of services. The basic option includes up to 5 domains (subdomains). Multidomain certificates can be of different types as well — DV, OV or EV.

Where go I get an SSL certificate?

In order for your website to open normally in browsers, you need to get a certificate from a trusted certification center: Digicert, GeoTrust, Comodo, Thawte, etc.

You can go to your browser’s settings to check whether the center is in the list of the trusted ones. For instance, in Chrome this list can be found in Additional settings, find the Configure certificates menu there and go to the Trusted root certification authorities section.

You can buy such certificates at the center itself but it’s cheaper to buy it from partners. For example, at LeaderSSL, ISPsystem, InstantSSL, CheapSSLsecurity or your local hosting provider — many of them sell SSL.

Do I really need it? You still didn’t convince me

79% of all websites have already switched to HTTPS, and web browsers keep stimulating those who haven’t. They don’t always mark websites with SSL as secure: they removed the green line with the company name for EV-certificates, the lock icon is gray by default now. On the other hand, they are planning to make danger warnings more visible. For example, Firefox is going to add a crossed-out lock icon in the address bar in October 2019.

All these facts only prove that SSL is becoming a standard and it’s difficult to earn users’ trust if you don’t have one. You can connect an SSL-certificate with Vepp.

Vepp is a simple and easy-to-use control panel for server and website management. It automatically releases a free SSL for a website with an assigned domain and automatically updates that SSL. You can also install any paid and self-signed SSL using Vepp.

Nastya Kuznetsova
Content manager