Discover the importance of SSL certificates and Internet security.
In recent years Internet users have learned to value Internet security more and more, especially when making a purchase or any other transaction involving personal data; that is why today there are different security measures that you can implement on your website or web page so that your visitors feel more confident browsing and shopping on it.
In this post we will talk precisely about the most long-lived and best valued security measures available, we refer to the SSL certificate.
What are SSL certificates?
The SSL certificate is responsible for the green padlock that appears to the left of the address of a web page, it is also the cause of the legends of “this web page is not secure”, with this surely already sounds more familiar, but still remains to solve the question what is an SSL certificate?
The SSL or Secure Sockets Layer certificate is a title that identifies the authenticity of your website, it also encrypts the information sent to the server, so that hackers cannot read it.
In a few words it has two objectives: to grant an identity authentication and to encrypt the information that will travel between your page and a server. With respect to the first objective, what it does is to provide a kind of electronic “identity document” that establishes the credentials of an online entity when doing business, so when an Internet user sends credential information to a web server, the user’s browser accesses the digital certificate and can establish a secure connection.
The information contained in this certificate and reviewed by the browser is: the certificate holder’s name, the certificate’s serial number and expiration date, a copy of the certificate holder’s public key, and the digital signature of the Certificate Authority that issued the certificate.
How do SSL certificates work?
As we have already mentioned, these certificates guarantee that all the data that circulate in one direction or the other, that is to say, the information between the client and the server is encrypted. This encryption is achieved by means of a symmetric algorithm such as DES or RC4, this algorithm uses the public key contained in the server’s digital certificate. Broadly speaking, the protocol works in the following 5 steps:
- The client sends a secure session request.
- The server sends a certificate containing the server’s public key.
- The client authenticates the certificate against a list of Certification Authorities.
- Client generates a random symmetric key and encrypts it using the server’s public key.
- At this point the client and server know the symmetric key and encrypt the end user using the key for the duration of the session.
In this way all the information that passes from your site to the server travels encrypted, so if it is intercepted by a hacker he will not be able to read it, because only your site and the server have the key that can decrypt it.
How to obtain an SSL certificate?
These certificates are only granted by a company or authority accredited for this, called Certification Authorities (CA). Some of the most famous and important ones are GoDaddy, GlobalSign, Symantec, DigiCert, StartCom, Entrust and Trustwave.
The prices vary a lot from company to company and also between the 3 types of SSL they can provide you with, but on average the cost ranges from $50 to $1,500.
The types of SSL that a provider can offer you are:
- Domain SSL. These are the cheapest certificates and they are issued very quickly and are validated electronically. Most websites have this type of certificate.
- Organization SSL. They are a little more complicated than the previous ones, and usually take a little longer in the validation process because they are only granted to properly identified organizations.
- Extended SSL. These are the most expensive certificates, with a much deeper validation. They are the type of certificates used by sites such as Twitter, Mozilla, Facebook.
As you can see, this classification depends on price and validation speed, but in the end they all offer the same level of security.
The first step to acquire this certificate is to send to the CA the Certificate Signing request, which we are going to obtain from our own server through an OpenSSL, using the CSR extension. Then we will have to verify our identity, here it will depend on the methods of the Certification Authority who will make a call or send you an email to verify your identity.
At the end we will obtain the certificate, to upload it to our server, finally we must modify the configuration file to accept requests through port 443 (HTTPS).
Currently there are several projects to grant SSL certificates totally free to websites or blogs that cannot pay for one; these projects seek to make the Internet a much safer place. One of these options is with CloudFlare, it is possible because the site works as a firewall between the original website and the user’s browser. There are also Let’s Encrypt and CFSSL options, but to use them you need to have very advanced technical knowledge.
Why are they necessary?
You are probably wondering if you really need this type of certificate on your website, even if it is not an online store, the answer to this question is a resounding yes, for two simple reasons: trust and positioning.
On other occasions we have already talked about the importance of having a trustworthy website and today we reiterate this: a secure site is a reliable site that helps you increase the conversion rate and generally makes you look better against your competition, because the customer feels safe and feels protected by their data.
On the other hand, Google has recently taken SSL certification as a key point for the positioning of a page in search results, so being certified guarantees that you appear above other pages that are not. In fact, since 2017 it has begun to penalize pages that are not certified with this protocol with a warning of not secure, when opened from your Google Chrome browser.
It should be clarified that currently SSL certificates are closely related to another type of security, the Transport Layer Security or TLS for its acronym, which is nothing more than the most updated version of the original SSL protocol. In fact, when you’re acquiring an SSL certificate you will probably be hiring a TLS certificate, but by conventionalism it is still called an SSL or as SSL/TLS, but do not worry because the certificates do not really depend on the specific protocol in its name.
HTTPS and SSL
Now that you are interested in installing a certificate, you have also come across the acronym HTTPS in relation to SSL and do not quite understand the relationship between the two.
The acronym HTTPS is derived from the acronym HTTP acronym for Hypertext Transfer Protocol, are protocols that establish how information is transferred around the Internet, basically it is the protocol that specifies the data communication on the Internet. When we add the letter “S” we are converting this protocol to a secure hypertext transfer protocol, through TLS.
We hope this post will help you better understand how an SSL certificate works and why it is so important. Remember that if your site does not have one yet, it is important that you install it as soon as possible; not only to get the benefits of this security layer, but also to avoid the sanctions imposed by Google, through Google Chrome.
But tell us, as an Internet user, have you ever abandoned a page because it didn’t have an SSL certificate?