- SSL certificates should be chosen based on a number of factors, including company reputation, support availability and encryption level.
- There are several types of certificates available for businesses, including domain validation, organization validation and extended validation certificates.
- You should take the time to evaluate the utility of different features among certificate providers.
The world of SSL certificates is changing for the better. They have become easier to obtain and more frequently used. In general, having secure applications, including web and databases, is a good thing: the secure part of the protocol means it is more difficult to eavesdrop on any conversation that is carried on across the Internet. It isn’t impossible: if someone is determined to break that encrypted traffic, they have to work hard but they can do it with the right tools and lots of effort. But if you are running an eCommerce site, for example, this encryption is absolutely essential. The popularity of certificates is easily seen: Google measures an increasing amount of browsing traffic to its various servers. Over the past several years encrypted access has exceeded 95 percent of all traffic across Google’s online services.
Despite their popularity, there is a lot to know and understand about certificates as well. Let’s take a closer look.
Different Kinds of Certificates
There are several different kinds of SSL certificates:
- Wildcards, allow anyone operating a domain to secure multiple subdomains and hostnames within that domain. For example a wildcard SSL on domain.com would protect mail.domain.com.
- Unified Communication Certificate (UCC), A UCC SSL will protect multiple domains (anywhere from 2-250). For example, a UCC will secure the following under one certificate: domain1.com, domain2.com and domain3.com. This type of SSL enables larger companies with many domains to manage costs by purchasing a single SSL to secure multiple domains. It also reduces the number of SSL expiration dates that need to be managed.
There are several validation types, including:
- Domain validation (DV), which involves minimal checking of credentials.
- Organization validation (OV), which involves more vetting to ensure that the owner of the cert is whom they say they are.
- Extended validation (EV), which involves even more vetting of business owners.
The first one is useful for individuals; the last two are more beneficial for businesses. Obviously, the more vetting is involved, the more costly the certificate will be. Network Solutions began selling certificate products in 2005 and offers a variety that covers each kind of certificate. Here are more details about how to choose the right kind of certificate.
Features to Look for When Purchasing Your Certificate
Besides figuring out which kind of certificate to deploy, here is what else should you look for when purchasing a certificate for your servers.
Reputation. PluralSight has this list of top 10 providers, and Network Solutions is among them. We are also members of the Certificate Authority/Browser Forum board. This is the organization that drives industry changes and sets up standards and interoperability rules for how certificates are used by applications.
Guarantees. Does your certificate provider guarantee some form of financial compensation in case of a breach? For example, Network Solutions offers varying levels of guarantees ranging from $10,000 up to $1 million depending on your business needs.
Customer support. Does your certificate provider have SSL Customer Support and online help resources? It’s important to be able to access a trained support agent either by phone or over chat to reissue, renew or add domains to your SSL.
Length of validity. How long is the certificate valid? Some providers have short time periods, others last longer. Also, you should understand the process by which you can revoke a certificate too. Some providers make revocation easier with online tools, others have more manual processes. You want a process that isn’t too complicated, given that you will need to revoke a certificate periodically in case an employee is fired or if an application changes.
Encryption level. Does your certificate provider offer 256-bit encryption on all their certificates? This higher bit-level makes the encryption more secure.
Other Considerations For Certificate Use
If your business owns many different domains, your brand could be an attractive target for malicious attacks. Why? Scammers want to present a domain in a phished email, say, that lights up the closed padlock icon in a browser, or that shows the domain with a “secure” label. They want this because users will trust that they are connecting to the domain over an encrypted channel.
With the prevalence of free domain validation (DV) SSLs in the industry, it has become easier for hackers to apply and stand up a malicious website with an SSL. While the certificate provides that visual “safe” feedback, it does nothing to tell you if the domain owner is trustworthy.
While a DV SSL may be attractive to your company from a pricing perspective and speed to market, the more stringent validation methods will ensure that your company is recognized as trustworthy and legitimate.
Understanding certificates requires some knowledge, and even many IT professionals don’t always have this level of encryption insight. Troy Hunt has some research about the perceived vs. actual value of SSL certificates. Hunt’s analysis in determining trust and preventing phishing attacks is worth reviewing, and his attention to detail is commendable. Hunt cites several studies about perceived security, such as only seven percent of the top million websites who are currently using HTTPS have EV certificates. Many banks and other financial organizations still don’t have HTTPS-based home pages, only protecting their subsequent login pages with SSL.
So should you secure your site with an SSL EV certificate? The short answer is yes, but with some qualifications, and only if you understand what you are getting into. As Hunt says, “By all means, go and grab an EV certificate if you think there’s a benefit because, at the absolute worst, they’re not going to do any harm and at best, some people may trust you more and that could translate into sales.” Until we get better and more uniform notifications from our browsers, that sadly is the best we can expect for now.