An SSL certificate (or TLS certificate) is a digital certificate that binds a cryptographic key to your organization's details. Secure Sockets Layer (SSL) are cryptographic protocols designed to encrypt communication between a server and a web browser.
While SSL certificates are installed server side, there are visual cues in the browser that show SSL protection. If SSL is present you may see https:// in the address bar, a padlock, green address bar or a combination of the three.
SSL secures your connection to a web server and encrypts any transferred data.
Encrypting data reduces the cybersecurity risk of man-in-the-middle attacks or many other forms form of cyber attack. Traditionally, SSL has been used to secure credit card information on e-commerce sites, personal data transfer and to secure social media sites.
Today, search engines like Google have called for HTTPS everywhere, even if websites don't handle sensitive data or sensitive information like personally identifiable information (PII). HTTPS not only provides critical information security and data integrity, but is a requirement for many new web browser features like progressive web apps (PWAs).
What is Transport Layer Security (TLS)?
Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). Think of it as a more secure version of SSL. Despite new certificates using TLS (RSA or ECC), it remains common for security certificates to be referred to as SSL certificates.
TLS, like SSL, provides privacy and data integrity between two or more communicating applications. When secured by TLS, connections between your browser and a server must have one or more of the following properties:
- The connection is secured by symmetric cryptography. The keys for symmetric encryption are unique to each connection, based on a shared search that is negotiated at the start of a session through a TLS handshake. The server and your browser negotiate the details of which encryption algorithm and cryptographic keys are used before data is transmitted. The negotiation of a shared secret is secure (preventing eavesdropping) and reliable (no attacker can modify messages without being detected, prevent man-in-the-middle attacks).
- Identity of communicating parties (e.g. you and UpGuard.com) can be authenticated using public-key cryptography. Public keys are disseminated widely and private keys are only known to the owner. Any person can encrypt a message using the receiver's public key but only their private key can decrypt. Authentication can be made optional but is generally required for at least one of the parties (typically the server).
- The connection is reliable because each transmitted messages has integrity checked using a message authentication code (MAC), preventing undetected loss or manipulation of data. A MAC is a short piece of information used to confirm the message came from the stated sender and has not been changed. This protects data integrity and authenticity.
In addition, configuration of TLS can provide additional privacy-related benefits like forward secrecy. Forward secrecy ensures future disclosure of sessions keys only compromise a particular session. This is achieved by generating a unique key for each session, so the compromise of a single session key cannot affect the data exchanged in any other session.
What is Hypertext Transfer Protocol Secure (HTTPS)?
Hypertext Transfer Protocol Secure (HTTPS) is an extension of Hypertext Transfer Protocol (HTTP). It is used to securely transfer data over a network. In HTTPS, the communication is encrypted using TLS.
HTTPS provides authenticated of the accessed website, protecting the privacy and integrity of exchanged data. It also protects against man-in-the-middle attacks such as eavesdropping and tampering of transmitted data. Because HTTPS piggybacks HTTP on top of TLS, the entire HTTP protocol is encrypted including the requested URL (the specific page requested), query parameters, headers and cookies (which often contain identifying information about the user).
The one thing that eavesdroppers can see is the website address and port numbers which are part of TCP/IP protocols and not protected by HTTPS. This means an eavesdropper can infer the IP address and port number of a web server (the domain name but not the specific page) that you are communicating with, as well as the amount of data transferred and session time.
Modern web browsers know which HTTPS websites to trust based on certificate authorities that are pre-installed. Certificates authorities like Let's Encrypt are trusted to provide valid certificates. This means HTTPS connections are only trusted if all the following are true:
- You trust your web browser correctly implements HTTPS with valid certificate authorities.
- You trust the certificate authority will only vouch for legitimate websites.
- The website you visit provides a valid certificate signed by a trusted certificate authority.
- The SSL certificate correctly identifies the website and not another entity.
- You trust SSL/TLS is sufficient to protect against eavesdroppers.
Why is an SSL certificate important?
Customer trust is the foundation of any business and Internet-based businesses are no exception. If you business has a reputation for unreliability, insecurity or dishonesty, you can expect to have a hard time selling your goods or services. Inversely, being known as a reliable, secure and honest brand will help attract customers. An SSL certificate is one way to show current and prospective customers that you care about their security.
Consumers are being trained to look for the on-screen presence of the padlock or green bar that begins with https:// as a sign that they can trust the website they are connected to.
While they may not understand the underlying mechanics of SSL/TLS, they do understand that it protects their sensitive information. Information like credit card numbers, passwords, phone numbers and any other personal information that your end users don't want exposed.
It's not enough to protect sensitive information that you store from data breaches and data leaks. You need to protect information in transit too. And it's not just your organization you need to worry about, ensuring your vendors have valid SSL certificates can reduce your third-party risk and fourth-party risk and should be part of vendor risk management, third-party risk management, information risk management and cyber security risk assessment programs.
How do SSL Certificates work?
SSL operates between your visitor's browser and your website or application. It's an industry standard that ensures data is communicated securely to and from the server, preventing man-in-the-middle attacks and eavesdropping.
SSL operates directly on top of transmission control protocol (TCP), allowing higher protocol layers to remain unchanged while providing a secure connection.
If an SSL certificate is configured correctly, attackers can only see the domain and port you are connected to and how much data is being transmitted. They may be able to terminate the connection but the server and user will be able to see the connection was dropped by a third-party.
To enable SSL on your domain, you need to install an SSL certificate on your server. When a customer visits your website, their browser will connect to your server, check for a valid SSL certificate and initiate the SSL connection. All data will then be encrypted before being passed between their browser and your server.
The SSL process can be broken down into four steps:
- SSL handshake: Web browser validates the presence of an SSL certificate on your server.
- Server sends certificate: Necessary information including the type of SSL certificate, level of encryption and more is sent to browser.
- User confirms certificate validity: Web browser checks certificate is from a trusted certificate authority and uses the highest level of encryption supported by both parties.
- Guaranteed integrity and authenticity: SSL and TLS protocols use message authentication codes (MAC) to ensure data integrity and authenticity.
What do SSL certificates do?
SSL certificates add an additional level of security between your website and visitors by creating an encrypted link between you and them.
This provides two layers of protection:
- Encryption: Sharing information online can be risky, many people prefer to only transact with businesses they know and trust. With an SSL certificate, customers know their sensitive data is encrypted and secure. SSL certificates can have different levels of encryption but the standard SSL certificate can be sufficient to get started.
- Verifying identity: SSL certificates identify the website owner and creates an additional level of trust for online businesses.
Types of SSL certificates
There are three different types of SSL certificates that offer three levels of security for SSL/TLS negotiations:
- Domain validated certificate (DV): Prove ownership over a domain name. The identity of the organization isn't checked, only that the person who has the SSL certificate also controls the domain name. This is the most basic level of SSL certificate and often comes free with hosting. Typically takes a few minutes to a few days to receive. Also known as a domain validation certificate.
- Organization validated certificate (OV): Prove ownership of domain name and provide a registered company name. Individuals running a website won't be issued this level of certificate. Typically takes a few hours to days to receive. Also known as an organization validation certificate.
- Extended Validation certificate (EV): Highest level of SSL certificate. To obtain an EV, you need to be able to validate your business, domain name and go through additional verification steps. Typically takes a few days to weeks to receive but goes a long way towards showing visitors you value their privacy and protection.
Additionally, SSL certificates vary based on the number of domains or subdomains they need to protect:
- Single-domain SSL certificates: Secures one domain name or subdomain.
- Wildcard SSL certificates: Covers one domain name and an unlimited number of subdomains.
- Multi-domain SSL certificates: Secures multiple domain names.
Is an SSL certificate necessary?
Yes. Consumers are trained to leave websites without an SSL certificate and with Google using HTTPS as a ranking factor, there is no excuse to not have one. Other important reasons to have a valid SSL certificate include:
- Improving conversion rate: Consumers have come to expect the padlock when making purchases online, without it you are losing revenue.
- Improving consumer trust: If you collect any personally identifiable information (PII), you need an SSL certificate. The financial, reputational and regulatory impact of cyber attacks has never been higher. This includes sites that collect emails.
Do SSL certificates affect search rankings?
Yes, you can increase your search engine rankings and increase user trust by installing SSL site-wide. Google confirmed in 2014 that HTTPS is now a ranking factor. Security is a top priority at Google and they invest a lot in making sure their services are secure. By encouraging other webmasters to use TLS they make the Internet safer more broadly.
An SSL certificate will provide a small boost in rankings as well as show to current and future customers your organization cares about information security.
What is an SSL connection error?
SSL connection errors occur when the page being accessed has a security issue. They occur in the web browser and protect the user by interrupting access and informing them there is a potential security concern.
SSL connection errors take a number of forms and differ based on the browser used and the type of error. In some instances, the https:// may be highlighted in red rather than green. In Chrome, a number of full page takeovers interrupt connection with messages like "your connection is not private" or "this webpage is not available".
In most cases, users can decide to access the site anyway but should understand it is not as secure as it usually is.
SSL connection errors occur because no valid SSL certificates are installed, an expired certificate is installed or there is may be a known vulnerability in your SSL certificate. The site is not necessarily doing anything malicious or trying to steal your information.
If your site is experiencing SSL connection errors, fix them right away by updating sitewide security protocols or upgrade/renew your SSL certificate. Otherwise, you risk losing traffic and revenue from customers who do not trust your insecure site.
Does SSL work over email?
Most email providers automatically enable SSL encryption by default. To retrieve email that has been flagged as insecure, you may need to disable it.
If your organization runs its own email service, contact your IT team to check whether your provider has SSL encryption.
How do I add an SSL certificate to my website?
Installing an SSL certificate will depend on how and where your website is hosted. The good news is there is generally a variety of ways to add an SSL certificate to your server. In many cases, your hosting provider will automatically add some form of SSL certificate to your website, likely a domain validated (DV) certificate. If your organization needs a more secure SSL certificate, you will need to talk to your hosting provider or IT security team.
- Is SSL compatible across devices? Yes, SSL certificates remain valid across any device. Keep in mind that this applies to web browser and not necessarily in-app web browsers.
- Does SSL work across operating systems? Yes. The majority of operating systems support SSL/TLS but some older operating systems may not support the newer TLS versions.
- Do all browser support SSL? Yes. All modern web browsers support SSL. Whether you use Firefox, Safari, Google Chrome, Microsoft Edge, SSL is supported.
- How can I tell if a site has SSL? Check for the https:// or the padlock icon in the address bar or use this tool from DigiCert to check if the SSL is installed correctly.
SSL certificates are an important tool to improve the cyber security of your website, ensure customer data is protected and to build trust. SSL certificates are a necessity and offer your site benefits including a better position in Google and other search engines.
- 256-bit encryption: Encrypting electronic document or communication using an algorithm whose key is 256 bits in length. The longer the key, the stronger the encryption.
- Asymmetric cryptography: Also known as public key cryptography, uses public and private keys to encrypt and decrypt data. Keys are large numbers that are paired together but are not identical (asymmetric).
- Certificate signing request (CSR): In public key infrastructure (PKI) systems, CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. It generally contains the public key for the certificate, identifying information (such as domain name) and integrity protection (e.g. a digital signature).
- Certificate Authority (CA): A certificate authority is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. It allows others to rely upon digital signatures or on assertions made about the private key that corresponds to the public key. CAs act as a trusted third party, trusted by both the owner of the certificate and the party relying on the certificate.
- Cipher suite: A set of algorithms to secure a network connection that uses Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). Cipher suites usually include a key exchange algorithm, a bulk encryption algorithm and a message authentication code (MAC) algorithm.
- Common Name (CN): Also known as the Fully Qualified Domain Name (FQDN), is the server name protected by an SSL certificate.
- Connection error: An error that occurs when trying to connect to an SSL-enabled website and your browser is unable to make a secure connection to the server.
- Domain-validated (DV) SSL certificate: A digital certificate used for Transport Layer Security (TLS) where the domain name of the applicant has been validated by proving control over the domain.
- Elliptic Curve Cryptography (ECC): An approach to asymmetric cryptography based on algebraic structure of elliptic curves over finite fields. Encryption keys are based on using points on a curve to create the public/private key pair, making it incredibly hard to break using brute force.
- Encryption: The process of encoding a message or information so only authorized parties can access it.
- Extended Validated (EV) SSL certificate: A digital certificate that proves the legal entity of the owner and is signed by a Certificate Authority key that can issue EV certificates.
- Key exchange: Also known as key establishment, is a method in cryptography where cryptographic keys are exchanged between two parties allowing the use of a cryptographic algorithm.
- Master secret: Used to generate encryption keys, MAC secrets and initialization vectors.
- Message authentication code (MAC): A short piece of information used to authenticate a message, enabling confirmation that the message came from the stated sender and has not been changed.
- Organization validation (OV) SSL certificate: SSL certifications that are strictly authenticated against business registry databases hosted by the government and ownership of domain.
- Pre-master secret: Used to create the master secret.
- Public key infrastructure (PKI): A set of roles, policies, hardware, software and procedures needed to create, manage, distribute, store, use and revoke digital certificates and public-key encryption.
- Secure server: A server that is protected by SSL or TLS.
- SAN (Subject Alternative Name) SSL certificate: An SSL certificate that allows users to specify additional hostnames on a single SSL certificate using the SAN extension.
- Secure Sockets Layer (SSL): A deprecated protocol to establish an encrypted link between a web server and browser.
- SSL certificate: Enables authenticated between a server and a web browser, as well as encrypting the data that is transmitted between the two.
- SSL handshake: Provides privacy and data integrity for communication between a server and a client.
- Symmetric encryption: A form of encryption where both encryption and decryption is done with one key (a secret key).
- Transport Layer Security (TLS): A cryptographic protocol designed to provide a secure connection between a web server and a web browser.
- Transmission control protocol (TCP): One of the main protocols of the Internet protocol suite, TCP provides reliable, ordered, and error-checked delivery of a stream of bytes between applications running on hosts communicating via an IP network.
- Wildcard SSL certificate: An SSL certificate which can be used with your domain and multiple subdomains.
How UpGuard can help your organization secure your websites and maintain your SSL certificates
Whether your organization has one domain or thousands, our platform can monitor your organization's websites for SSL availability, expired SSLs, hostnames matching SSL certificates and strong SSL algorithms. UpGuard BreachSight can also help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk management, third-party risk management and cyber security risk assessment processes.