SSL (Secure Sockets Layer), also known as TLS (Transport Layer Security), is the technology used for internet security and maintaining sensitive data protection within systems. This would protect any user data from being intercepted by hackers to provide a trusted system between the user and the website. In any case, it would ensure that the website is authentic. TSL, transport layer security, is a more secured version of SSL that is most commonly used in many cases today, however often mistaken for SSL.
Many may be familiar with SSL certificates without acknowledging them in our everyday lives as we navigate the Web on a regular basis. SSL certificates are why most websites include HTTPS instead of HTTP. Why is that so important? To make using the Web safer. SSL certificate is a data file associated with the website's origin server that verifies the website's identity and other relevant information to prove its reliability. When websites are certified with an SSL certificate, the website URL would include HTTPS (Hyper Text Transfer Protocol Secure) in its heading. This is a simple way to let users know whether the website is suspicious or insecure.
SSL is a security protocol that instructs the receiving system on how to use encryption algorithms to decrypt or encrypt transported data. SSL is impossible to breach with increased difficulty such that it would be impossible for anyone to decrypt and read data with SSL. The encryption algorithm is responsible for scrambling data to make it illegible through devices. This is especially helpful to increase user doubt when accessing their personal data such as credit card information on the internet. SSL is also responsible for storing information for devices to allow this system to function. SSL certificates are required to include the domain name, original device information, certificate authority and signature for verification, subdomains, certificate issue date and expiration date, and public and private keys to be able to successfully encrypt and decrypt data from incoming and outgoing systems.
SSL uses a verification process called the SSL Handshake. The system uses an SSL handshake to create a “symmetric session key”, which uses the private and public keys to verify the authenticity of the system. A session key is used to decrypt the rest of the data after system verification to avoid the unnecessary need to process every set of data.
To access SSL certificates, website owners are required to collaborate with a certified authority (CA) that is typically responsible for generating and issuing SSL certificates for its customers. Firstly, to do so, owners are required to create a Certificate Signing Request (CSR) that would generate a private and public key assigned to the website. The CA will use the public key to create a data structure customized for the website. The SSL certificate will then be activated within the website and function as normal. CA must be authenticated and verified through a Trusted Root CA store in order to be able to fully provide SSL certificates to its customers. It is also possible to create personal SSL certificates without help. The only difference is that website hosts would be able to assign their own private keys to their website through self-signed certificates, although may not often be deemed as secure through the user portal.
History
The first version of SSL, Secure Sockets Layer, protocol was initially developed in 1994 by Netscape to resolve the concern of data transport security as involvement with the Web continues to grow. The official and final version of the SSL protocol was released in November of 1996. However, in 2011, SSL was recommended to be abandoned by the Internet Engineering Task Force (IETF) because of the lack of protection and weak, consistent encryption that made data easily accessible.
TLS, Transport Layer Security, protocol was shared in 1999 as an improved version of the SSL system while serving similar purposes. Later on, TLS began adapting to other accommodations to strengthen its weak points such as protection against Cipher Block Chaining attacks. The IETF officially proclaimed TLS as a preferred protocol over SSL in June 2015 due to the strengthened authenticity of the TLS protocol. However, the TLS protocol is still incomplete. Engineers are still making changes to strengthen the overall system of the protocol, including the release of a new TLS version in 2018 that simplified the handshake protocol, as well as a more private and secure encryption system.
In 2014, Google began requiring websites under the browser to be assigned SSL certificates through a campaign raising awareness of the importance of SSL certificates. Eventually, Google became using SSL requirement as a basis part of the Google ranking signal. In July 2018, Google began adapting to the mandatory SSL certificate system by marking websites without SSL certificates as unsafe to reduce user engagement on the website in effort to make their customers feel safer when navigating the browser.
Free SSL vs. Paid SSL
After learning more about SSL, you may notice that there are two different types of SSL that a website user could select: free SSL and paid SSL. While both free SSL and paid SSL serve the same purpose, it is given that paid SSL would come with more benefits. To start off, both free SSL and paid SSL are assigned SSL certificates that would assign websites as HTTPS. Paid SSL is recommended for website owners that have little to no knowledge of managing SSL certificates.
Free SSL simply informs the user that the website is secured, but does not provide the system with enough information to guarantee the trustworthiness of the individual user running the website. On the contrary, paid SSL may require a set of formal verification processes with CAs but provide more levels of validation to verify the authenticity of the website. Paid SSL provides more flexibility in services and functions that insures everything that comes with the website in case something happens. For example, paid SSL would be able to provide immediate backup in case a platform is missing when transitioning between websites.
Another factor to take into consideration when debating between free SSL and paid SSL is how long the SSL certificate would last. Paid SSL certificates often provide up to two years of service while free SSL certificates are only ensured for a maximum of three months, depending on the CA considered. While some companies may be acceptable to free SSL conditions, expanding businesses are recommended to use paid SSL to ensure the business is valid.
Types of SSL Certificates
In addition to the different levels of SSL certification, there are also multiple types of certificates to consider: the Single Domain SSL Certificate, Wildcard SSL Certificate, and Multi-Domain SSL Certificate.
The Single Domain SSL Certificate is applied to only one domain. All pages to the domain would be certified with the Single Domain SSL Certificate but are inaccessible to associated subdomains. CAs that assign SDC include Comodo Positive SSL and RapidSSL, one of the more commonly used CAs. Comodo Positive SSL and Rapid SSL only support certification of one domain which is only responsible for listing the website domain as certified. The listed certificate authority only requires the domain name on certificate details.
The Wildcard SSL Certificate certifies the authenticity of associated subdomains of a domain, in addition to the benefits of the Single Domain SSL Certificate. Lastly, Multi-Domain SSL Certificate includes a list of multiple domains under one certificate, including other domains that are not subdomains of an existing domain on the list. A certificate authority that supports multi-domain certification is Comodo Positive Multi-Domain SSL. Comodo Positive Multi-Domain SSL is able to certify multiple types of domains and is highly recommended compared to other certificate types. While it is most costly compared to other SSL certificates, it provides SAN/UCC support, a digital certificate verifying multiple platforms.
SSL Certificate Levels
SSL/TLS certificates vary between three different levels of authentication: Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV). SSL/TLS certificate validation levels ensure that a certain organization manages and owns the domain. Each certificate is responsible for holding information about the name of the website wonder, serial number, expiration date of the certificate, public encryption key, and signature of the certificate authority used.
DV certificate is the basic and least-secured certificate among the three that is able to provide minimal authentication. Due to this, DV SSL/TLS certificates only require proof of domain ownership. This may be a benefit for non-profitable websites serving no interest in business relationships such as personal blogs. However, this is the most accessible form of certification that is not limited to any party, including cyber criminals.
OV certificates are the second secured form of certification. It requires collecting more information for authentication, thus may be more costly and time-consuming. However, this certificate is effective in providing legitimacy to a website. OV certificates require legitimate authentication, location accessibility, phone validity, and domain verification. However, users browsing the website may not be subjected to this information.
Lastly, EV certification provides the most support systems and functions to authenticate a website. It provides a complete background check on the organization and the corresponding information that it provides. EV certification requires similar authenticity procedures as OV certification with the addition of an enrollment form, physical address, and operational existence. It also provides other security measures for its users accessing the website such as malware detection and vulnerability assessments. This certification is strong and effective but may be unnecessarily costly for anyone with no intention to make a lasting mark on the Web.
SSL Certification Cost Comparison
|
Levels |
Certificate |
SSL Type |
Cost (/year) |
|
Domain Validation |
PositiveSSL |
Single Domain |
$ 7.95 |
|
PositiveSSL Wildcard |
Wildcard |
$ 69.78 |
|
|
PositiveSSL Multi-Domain |
Multi-Domain |
$ 18.81 |
|
|
Organization Validation |
InstantSSL |
Single Domain |
$ 27.44 |
|
InstantSSL Premium Wildcard |
Wildcard |
$ 102.97 |
|
|
Comodo Multi-Domain SSL |
Multi-Domain |
$ 116.82 |
|
|
Extended Validation |
EnterpriseSSL Pro |
Single Domain |
$ 861.62 |
|
EnterpriseSSL Pro with EV Multi-Domain |
Multi-Domain |
$ 2351.22 |
**Current price as of 8/16 from Comodo. Cost may vary depending on the company.**
Future of SSL
Personally, SSL is one of the more reliable existing methods to ensure safe navigation systems in the present and would definitely be a valuable consideration in the future. It not only allows users to acknowledge a form of safe internet navigation practice, but it also provides an open relationship that allows users to acknowledge businesses. SSL certification will become one of the more practiced systems with more web browsers using this method, and possibly relying on SSL certificates to verify website verification like Google. With all the benefits come with the potential concern that the current SSL/TLS certification method may not be completely effective in the future. SSL certificates will become a threat if there is a possibility of replicating or infiltrating the SSL verification process. In 2015, Heartbleed was faced with a problem in which a cybercriminal was able to gain access to encrypted information. It was later discovered that older versions of SSL encryption are easily accessible to the less secured. Upon this lesson, we must continuously find ways to complicate the system to ensure the validity of SSL/TLS certification. There is no complete version of SSL/TLS certification because there will always be someone or a system that will eventually be able to adapt and become capable of breaking through if not enough improvements are made.
Sources
https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/
https://www.verisign.com/en_US/website-presence/online/ssl-certificates/index.xhtml
https://www.websecurity.digicert.com/security-topics/what-is-ssl-tls-https
https://www.digicert.com/what-is-an-ssl-certificate
https://aboutssl.org/free-ssl-vs-paid-ssl-certificate/
https://www.cloudflare.com/learning/ssl/types-of-ssl-certificates/
