This guest column is authored by Natasha Miranda, Technical Writer, Comodo
SSL Certificate and HTTPS are pretty common words these days. Website owners, or entities running online businesses (eMerchants), and visitors of websites, users of online payment portals, etc.., – in general anybody having anything to do with the Internet must know about HTTPS and SSL certificates.
The terms may sound a bit vague for the non-technical personnel, but cybersecurity awareness has become a necessity for all users of the Internet, considering the cyber attacks, and malware that are out there. A web page that has SSL can be identified by a padlock icon that is displayed in the address bar. Based on the type of SSL, the address bar may also display in green colour. Further, it will display “https://” instead of just “http://”.
HTTP (Hypertext Transfer Protocol) is an application-layer request–response protocol in the client–server model of computing. A web browser acting as a client submits an HTTP request to the server, and the server responds to the message. In simple terms, it is the standard protocol used for transferring hypertext documents on the World Wide Web (www).
While this had been used for many years, HTTP lacks security as it is not a secure protocol. HTTP has evolved into HTTPS. It goes by many names HTTP over TLS, HTTP over SSL, and HTTP Secure. Basically, it is the most widely used protocol on the Internet for secure communication over a computer network. The communication takes place via a connection that is encrypted by SSL (Secure Sockets Layer) or TLS (Transport Layer Security). HTTPS authenticates the visited website and protects the privacy and integrity of the data being exchanged. Cybercriminals attempt to steal data through man-in-the-middle (MitM) attacks.
Earlier, HTTPS connections were used mostly only for sensitive transactions, eCommerce and payment transactions, and for e-mail communication. Later on, all types of websites began using HTTPS for protecting page authenticity and ensuring the privacy of the web browsing. HTTPS is being widely preferred and Google is supporting HTTPS with a higher page ranking than HTTP-only pages.
Why is SSL required?
As stated earlier SSL (Secure Sockets Layer) creates an encrypted connection between a web server and the visitors’ web browser to ensure that all information (private, sensitive, confidential) are transmitted securely without being subject to message forgery, data tampering, and eavesdropping through MitM attacks that have become all too common.
When a website has a proper SSL, any information that is transmitted between the (user or visitor) web browser and the web server of the website is encrypted and only the owner of the website can see the information.
For eCommerce businesses online security is a must; there is no option; lack of security will have severe consequences – including loss of business, loss of trust of customers, and legal consequences. The first step would be to acquire an SSL certificate for the website. Though this would mean additional expenses, eCommerce businesses cannot do without these security measures. Businesses that have failed to adopt SSL have failed and closed down as website visitors and customers become more security conscious.
SSL certificates are issued by entities known as Certificate Authorities (CAs). There are many CAs, however, it is better to get the certificate from a reputed and recognized CA as there have been cases of certificate issuances without the necessary validation processes being followed. SSL certificates are issued after the CA validates the domain and the organization. Some scrupulous entities have managed to get SSL certificates from CAs who did not follow the norms for validation.
Details in an SSL certificate
SSL Certificates are issued to legally accountable individuals or enterprises/corporates. The certificates typically contain the following details: Whether the page is secure, it has a valid certificate, whether the connection is secure and about secure resources. It also contains: For what purpose the certificate is intended for (ensuring the identity of a remote computer, proving your identity to a remote computer). It also mentions who it is issued to, and who it is issued by (the CA), the validity period of the certificate, specifying the expiry date. Further details may include the domain name, company name, address, city, state and country; and the type of SSL certificate, the protocol used (e.g. TLS 1.2), the key exchange, and the cipher used in the certificate. The signature algorithm, signature hash algorithm, the public key value and the certificate status are also mentioned.
SSL certificate Validation
When a browser requests a https connection to a website, it will retrieve the site’s certificate, check if it is still valid and that it has not expired. It also checks if it is chained to a root, and will also check if it is being used only by the website for which the CA has issued the certificate. If it fails any of these checks, the browser will display a warning to the end user. Browser authorities give due importance to the reputation of the CAs and banish CAs for cases of breach of trust. They also block untrusted CAs.
Types of SSL Certificates
There are many types of SSL certificates.
- Domain-validated certificates
- Web server authentication certificates
- Extended Validation certificates
- Wildcard certificates
- Unified Communications (UC or SAN) certificates
- Code signing certificates
- E-mail certificates
These certificates are issued after the CA verifies only the domain of enterprise/organization. The CA just checks the WHOIS record to verify the owner of the domain name and then issue the certificates. The Domain-Validated certificates are cheaper than other certificates but offer lower assurance.
Web Server Authentication Certificates
Web server authentication certificates are used for securing web servers, email servers, and file transfers.
Extended Validation Certificates
CAs validate the business and authorization before issuing an Extended Validation (EV) certificate. This certificate turns the address bar green and hence provides even greater assurance to website visitors/customers.
Wildcard SSL certificates are used for securing a domain and an unlimited number of sub domains on a single certificate. A single Wildcard certificate for *.website.com can be used to secure – payments.yourdomain.com, login.yourdomain.com, mail.yourdomain.com, etc.
Unified Communications (UC or SAN) certificates
Unified Communications (UC) or Subject Alternative Name (SAN) certificates are a type of web server authentication certificate that is used for securing multiple domain names.
Code Signing Certificates
Code signing certificate is used for ensuring code integrity. It enables a user to digitally sign an executable code to confirm authorship/ownership and also guarantee that the code has been protected (shrink-wrapped) and has not been altered by any malicious entity.
Email certificates are also known as S/MIME certificates. They are used to sign e-mails in order to encrypt them and provide a guarantee to the receiver – of the sender’s authorship of the e-mail.
Basically, every eCommerce merchant needs to acquire SSL certificates to ensure the security of the website and also protect visitor/customer’s confidential data. As mentioned above the benefits of SSL certificates are many and the organisation has to identify the appropriate SSL certificates and acquire it from a reputed and recognised Certificate Authority.
Image Credit – DesignWhere