How does an SSL certificate work and which one suits your website best?
Timo, January 29, 2020
Since Let’s Encrypt released free SSL/TLS certificates in 2016, the encrypted HTTPS connection has become the standard. Followed up by Google’s policy to label sites without the HTTPS protocol as insecure, it’s safe to say you can’t really have a serious website without a certificate anymore. Why are certificates essential in establishing an HTTPS connection and which SSL/TLS certificate suits your website best? You’ll read it in this blog post.
How does the HTTPS protocol work?
HTTPS stands for ‘hypertext transfer protocol secure’. A protocol used by web browsers to ‘read’ websites. In the past websites were visited with HTTP. The missing ‘S’ stands for secure. What makes HTTPS secure compared to HTTP? It’s the encryption of the data traffic that takes place between the web browser you use and the server on which the website you are visiting is located.
When someone else from the outside hooks into the communication that takes place between your browser and a server, they only see data that has been encrypted (see example below). An incomprehensible mush of random numbers, letters and signs. Someone who’s ‘secretly’ tapping into the communication is unable to see how you, as a web visitor, enter payment details or other sensitive information.
The difference between SSL and TLS
The term SSL (Secure Socket Layers) is actually no longer appropriate when talking about SSL certificates. This outdated encryption protocol has been replaced by TLS (Transport Layer Security) for quite some time now. Most browsers and servers therefore no longer support encryption based on SSL. Nevertheless, certificates are still referred to as SSL certificates because people have become familiar with the name. To avoid any confusion, we will refer to the certificates as SSL/TLS in this article. For more information about SLL, and its successor TLS, I recommend you to read this blog post.
What role does the SSL/TLS certificate play within the encryption process?
An SSL/TLS certificate has two main functions: providing proof to a web browser that a website can be trusted, and providing the browser with an ecryption key.
The four components a SSL/TLS certificate:
- Proof of DNS ownership
- Digital signature web server
- Digital signature publisher
- An encryption key
The moment a web browser and a server contact each other, a so-called ‘handshake’ takes place. During the handshake, both parties determine the encryption method and the web browser checks whether the certificate is valid. Using the SSL/TLS certificate, the web browser can see whether a website is reliable. Essential for the establishment of an HTTPS connection.
The SSL/TLS handshake
An SSL/TLS handshake takes place to kick start a HTTPS connection. This is where a server and web browser get to know each other, determine whether they trust each other and adjust which encryption method (cipher suite) is used. The handshake goes as follows:
- The web browser makes contact with the server and indicates which encryption protocols it supports.
- The server responds to the web browser, sends it its SSL/TLS certificate and chooses an encryption protocol.
- The web browser checks the SSL/TLS certificate. If it is approved, it uses the public key that was sent along with the certificate.
- With the public key, the web browser creates a so-called ‘premaster secret’ byte string. This piece of encrypted code can only be decrypted with a private key stored on the server.
- The server decrypts the byte string and finds proof that the right parties are communicating with each other.
- Both parties then exchange session keys. These keys are unique for each session between web browser and server. New session keys are created during each new visit.
- After exchanging the session keys, the server and web browser make contact with each other via HTTPS connection.
The difference between DV and EV certificates
The installation of an EV certificate (usually more expensive) will not improve the encryption quality in comparison to a DV certificate. The certificates only differ in the way they are issued. With a domain validation certificate (DV certificate), the certificate authority checks whether the applicant is the owner of the domain on which the website is located. In the case of extended validation certificates (EV certificates), company data are also extensively reviewed. The certificate issuer checks the Chamber of Commerce data, checks whether the company is in the WHOIS database and contacts the company by telephone.
What is the advantage of this extensive check? Suppose someone links to a phishing website under your company name. Chances are that visitors will not see the difference between this site and the official company website. A scammer only has to prove that he owns a domain in order to get a DV certificate which he can then install on his phishing site. The site looks reliable, but of course it’s not. Although the data traffic between web browser and server is secured, it is not people trying to tap into the data communication that are of concern. It’s the visited site itself.
With an EV certificate, the visitor is able to check if the site he is visiting really belongs to the company for which the website lends itself. After checking visitors can be sure they are making payments, or leaving confidential data, on the correct website.
Fifty-eight percent of all phishing websites use an HTTPS connection and therefore have an SSL/TLS certificate installed on the server. In only 0.4% of the cases, based on USENIX research, this concerns phishing websites with an EV certificate. So it is very difficult for crooks to get an EV certificate for their phishing sites. If they do, a certificate publisher usually pays for the damage costs. Just for fun, check our certificate by clicking on the padlock in the address bar. As you can see, we also have an EV certificate.
P.S. Use Qualys’ SSL Server Test to test the HTTPS connection of websites. An extensive report will show you which protocols and cipher suites are supported and which certificate is installed on a server. The test result of our website can be found here.
The wild card certificate
In addition to DV and EV certificates, Savvii also offers the possibility of buying a wild card certificate. This is intended for websites that have subdomains. Normally a certificate only secures the main domain of a website, but with a wildcard you can also secure all your subdomains with HTTPS connection. Read more about the certificates we offer on our certificates page.
Let’s Encrypt or Sectigo?
At Savvii, we install a free Let’s Encrypt certificate on every server. This way your website will always have a secure HTTPS connection. Usually a Let’s Encrypt certificate has to be replaced after 90 days. As part of our service package we arrange this for you. Would you like to install an extra secure EV certificate from Sectigo on your website? Then you can purchase it from us and we will install it. See our certificates page for more information.
For the average blogger a DV certificate will be sufficient. But if you run a webshop or if you have a company website where customers leave sensitive information an EV certificate isn’t an unnecessary luxury. With an EV certificate you are insured against the consequences of abuse. For example, if an unauthorized party gets their hands on the certificate you and your customers will receive full compensation for the damage. In addition, your website will have a more trustworthy appearance. Your website’s conversion rate will surely benefit from this.