If you use SSL encryption on your website, data is sent from your visitor’s browser to your servers via a secure connection.
- Why should I encrypt my website?
- How does SSL encryption work?
- What is an SSL certificate
- What are the different types of SSL certificates?
- Domain Validation
- Organization Validation
- Extended Validation
- To what extent can the certificates be used?
- Single Name Certificate
- Wildcard Certificate
- Multi Domain Certificate
- Which certificate do I need?
- Conclusion
In the browser, encryption can be recognised by the white or sometimes green lock in the address bar:
“SSL” stands for Secure Sockets Layer and has become synonymous with the encryption of online data streams. The original SSL format is no longer used – it has been replaces by the newer and more secure Transport Layer Security standard.
This type of secure connection can be recognised by the HTTPS protocol. Like the HTTP protocol, this is a communication protocol for data transmission on the Internet. The difference between HTTPS and HTTP is the encrypted and tap-proof transmission of data using TLS.
Remember: HTTPS = HTTP + SSL/TLS
In August 2014, Google began defining HTTPS as a ranking factor. Now, if a website relies exclusively on the HTTPS protocol, it can receive a small bonus in Google’s evaluation. This means: HTTPS is a very weakly weighted ranking factor.
In addition, Google has also started to display a “Not secure” at the top of the browser bar for all HTTP connections in its Chrome browser.
From a search engine optimisation perspective, SSL encryption of a site not only provides a slight ranking boost, but also gives the user more trust in the website. After all, the data streams are being protected from manipulation.
Why should I encrypt my website?
Without encryption, all data to be transmitted on the Internet can be viewed in plain text and manipulated by third parties with little effort.
This is a major problem when sensitive data is transferred to a website. This could be credit card data at check-out, the login name and password for an e-mail provider or personal messages on a social network.
If a website operator decides to send the message “Hello World” via an unencrypted connection, this data packet could be read on the way from the browser to the server and would contain “Hello World” in plain text.
If an encrypted connection is used, the “Hello World” may only be read as “ChRryvbo7r1iaedkdDHEwmp1qYewD+vcoxW39n0yD6g=” for example, when viewing the data packet. Pretty useless.
Only the server with which the encrypted connection has been established has the necessary information to turn the “ChRryvbo7r1iaedkdDHEwmp1qYewD+vcoxW39n0yD6g=” back into a “Hello World“.
How does SSL encryption work?
So that a browser can establish an encrypted connection to a server (of a domain), the browser first needs to know whether the server also belongs to the domain it claims to be. SSL certificates are used for this purpose.
What is an SSL certificate
An SSL certificate is a method of verifying the authenticity of a website. To do this, a website must apply for a certificate from a recognised certification authority.
These are called Certification Authorities (CA) and request a range of information from the applicant. How much information is required depends on the type of the certificate to be issued.
Once the domain has been verified, the public key is also stored with the CA. This cryptographic key is then used to encode the messages. To change a message back to its original state, another key is required, the private key. This private key is permanently installed only on the verified server and can decode the messages.
The important thing here is that a message that has been encoded with a public key cannot be decoded with the same public key. The instructions on how to encode a message can therefore be made freely available, while the only way to decode the encoded message is kept under lock and key.
The keys have different lengths. Nowadays, you should use at least a 256-bit key, although larger keys are even better.
What are the different types of SSL certificates?
A distinction is made between three different certificate levels with different levels of trust: Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV).
Domain Validation
A DV certificate has the lowest trust level and only validates the domain name. You can use it to prove that a request from domain.com really does come from the domain domain.com, but no further information is requested. This type of certificate is also known as a Low Assurance certificate.
Organization Validation
In order to obtain an OV certificate, not only is the ownership of a domain checked, but also information about the identity and address. In this case, a company must not only prove that it owns the domain, but also that it actually is the company in question and confirm its location. This type of certificate is also known as a High Assurance certificate.
Extended Validation
For an EV certificate, you not only have to prove that the company exists at the specific location and that it owns the relevant domain. This certificate actively checks whether the company is a registered organisation with an active account that can be used for active business transactions. In addition, there is a further check of the address and telephone number, as well as the persons applying for the EV certificate.
These certificates are the most comprehensive and most expensive, but also offer the user the greatest possible security. With this type of certificate, modern browsers also display the name of the organisation next to the browser bar – in Microsoft’s Internet Explorer and Edge browsers, the entire address bar is also highlighted in green.
To what extent can the certificates be used?
Most validation types can be created either for a single name (also known as Single Name certificate), for an entire domain (including all subdomains, also known as Wildcard certificate) or for several domains simultaneously (also known as a Multi Domain certificate).
Single Name Certificate
With a Single Name certificate, only the specific host is verified. A certificate for www.domain.com is therefore only valid for the www host. For example, if there were a subdomain such as shop.domain.com, this would not benefit from the www host’s certificate.
A Single Name certificate can be used for Domain Validation, Organization Validation and Extended Validation.
Wildcard Certificate
The Wildcard certificate * enables a website operator to achieve certification for all subdomains of a domain at the same time. With a certificate for *.domain.com, both the host www.domain.com and the subdomains shop.domain.com and blog.domain.com would be validated.
Important: A Wildcard certificate cannot be used together with Extended Validation. Only DV and OV certificates can be Wildcard certificates.
Multi Domain Certificate
With the Multi Domain certificate, several domains can be verified and summarised under one certificate. With this type, we could validate the domain www.domain.com and also www.domain.co.uk together. A Multi Domain certificate can be used together with Extended Validation, although the individual hosts must be explicitly defined.
Which certificate do I need?
For your blog or personal website, a Single Name Domain Validation certificate can be enough to secure the passwords for the comment option. The same applies to forums and the logins there, for example.
An Organization Validation certificate is ideal for a company website so that visitors can be sure that the website not only bears the name of your company, but can also be correctly assigned to it. Whether you need a Wildcard certificate depends entirely on whether you use multiple hostnames or not.
For all use cases in which sensitive user data such as personal, bank or credit card data is transmitted, you should invest in an Extended Validation certificate. This not only protects user data, it also instils additional trust in the user with the highlighted view in the browser bar.
Conclusion
Every website operator can decide for themselves how important encrypted communication is for their own site. For a blog without a comment feature, it would not be necessary from a security point of view to encrypt user data using an SSL certificate.
However, if you manage your blog CMS via a web interface (e.g. with WordPress), you should consider at least encrypting the connection with a Single Name Domain Validation certificate for your login data alone.
As soon as you move into the field of e-commerce, you should ensure that all necessary pages that transmit sensitive data are encrypted.
In addition, a lock at the front of the browser bar or even the company name highlighted in green (in the case of an EV certificate) can increase user trust in the site. Google’s measure to classify unencrypted HTTP connections as “not secure” in the Chrome browser reflects the same approach.
Despite all the advantage of encrypting your own website using HTTPS, there are a few points that need to be considered before and after the move.
