Keeping Your Website Safe, Secured, and Compliant - SSL Certificates

The Integral Role of Certificate Authorities (CA)

Certificate Authorities (CA) play an integral role in the entire SSL process because they’re the ones issuing these digital certificates. In essence, digital certificates, such as an SSL, are small verifiable data files containing identity credentials that help authenticate the online identity of people, websites, and devices.

Each digital certificate includes valuable information like the expiration date of the certificate, the owner’s name and other important information, along with a public key – a value provided by some designated authority as an encryption key.

As a trusted entity issuing these digital certificates, the CA must meet strict and detailed criteria before being accepted as a member. Once accepted, the CA is authorized to distribute SSL certificates. The longer the CA has been operational, the more browsers and devices will trust the certificates issued by the CA. One important thing to note is that for certificates to be transparently trusted, it must have “ubiquity” where it’s capable of being backwards compatible with older browsers, including mobile devices.

Overall, CAs play a vital role in how the Internet operates today by protecting information, encrypting billions of online transactions, and enabling secure communication. Without CAs, the Internet would not be as transparent and trustworthy as it is and online transactions would be more susceptible to hacks, data breaches, and phishing.

Different Flavors of Validation and How to Tell You Got the Right SSL

Of course, not all SSL certificates are created equal. To ensure that you pick the right SSL certificate(s) for your needs, it’s important to understand the main differences in regard to its validation level:

Server Gated Cryptography (SGC) SSL Certificates

To begin, let’s start with one of the original secured digital certificates - the Server Gated Cryptography (SGC) SSL certificate. SGC SSL certificates were made available from the mid 1990’s as a means to increase the cryptographic strength of the SSL connection from 40, or 56 bits, to 128 bits.

At that time, the goal was to force weakly encrypted browsers to use the stronger 128-bit encryption method for online financial transactions. Of course, times have changed and SGC browsers, such as Netscape, are obsolete. The once reliable, and unbreakable 128-bit encryption, is now susceptible to new vulnerabilities and are unable to support the ongoing revisions of SSL protocols.

Today, the standard SSL encryption is 256-bit and we recommend anyone with an SGC SSL certificate to replace it immediately with one of the other types of SSL certificates below based on their validation level and security requirements.

Domain Validated (DV) SSL Certificates

Domain Validated (DV) SSL certificates are used on public websites and are one of the cheapest certificates to get. The validation process is very simple and is typically performed via email or DNS to confirm that the domain is registered and that someone with admin rights is aware of, and approves, the certificate request.

Since no company information is vetted, the entire process can be complete almost immediately. If the certificate is valid and signed by a trusted authority, the browsers would indicate a successfully secured “Hyper Text Transfer Protocol Secure (HTTPS)” connection in the address bar.

DV certificates are ideal only to those wanting a quick and low cost SSL where organization validation is not a concern. With this in mind, an informed user may acknowledge that DV certificates do provide encryption and security as other certificates but they may still not trust the site with their personal information because no company information has been vetted as part of the validation process.

Organization Validated (OV) SSL Certificates

Organization Validated (OV) SSL certificates are more trusted because the validation process not only requires for the domain to be authenticated but also additional information and documentation to certify the company’s identity.

The CA must authenticate the company against the business registry databases held by the local government to confirm information, such as the entity’s name, city, state, and country to ensure that it’s a legitimate business. Because of this, the entire process can take anywhere from a few hours, to a few days to complete depending on the CA’s validation process.

OV certificates are considered the standard type of certificate for any commercial website because it contains all the necessary information for company validation. By giving people more visibility into who is actually behind the site when they click on the Secure Site Seal (lock icon) located on the address bar, visitors feel more comfortable sharing their personal information with the site.

Extended Validated (EV) SSL Certificates

If you’re looking to go the extra mile in keeping your website(s) safe, secured, and compliant, then Extended Validated (EV) SSL certificates is the perfect solution for you. Unlike the validation process for DV and OV certificates, getting an EV certificate is more difficult because of its strict and stringent authentication procedure that requires domain ownership and additional company documentation, along with other steps and checks. Overall, there are two main phases to the authentication process.

The first phase requires the CA to conduct thorough research to identify the legal entity that controls the website. This is done by verifying the legal, physical, and operational existence of the company. In addition to verifying that the organization’s identity matches official records, the CA must also ensure that the organization has exclusive rights to use the domain specified in the EV certificate and that it has properly authorized the issuance of the EV certificate. Typically, the CA will also obtain an attorney’s legal opinion on the validity of not only the business but also the information provided to obtain the EV certificate.

The second phase assist with enabling encrypted communication of information over the Internet between the website and the user of an Internet browser. By having processes for facilitating the exchange of encryption keys to prevent hacking, phishing and malware, organizations with EV certificates have a vehicle in place to properly address online identity fraud.

Since the validation process for EV certificates are much more in-depth, the entire process can take a few days, to even a few weeks to complete. Plus, CA’s issuing EV certificates must undergo recurring audits to ensure the integrity of the SSL certificate issued.

EV certificates are an ideal solution for businesses that wish to assert the highest levels of authenticity and security. By adhering to the strictest authentication process, any company with an EV certificate is rewarded with a visible “Green Bar” that’s clearly noticeable on any modern browser. This gives visitors and customers the utmost confidence that the site is extremely secured and compliant.

Wildcard (*) SSL Certificates

Wildcard SSL certificates secures your website similar to standard SSL certificates and the requests are processed using the same validation method. These types of SSL certificates are available for most of the validation levels (DV, OV, EV) mentioned above and can help protect an unlimited number of subdomains for a single domain.

One of the key differences is that Wildcard SSL certificates uses “Subject Alternative Names (SANs)” to secure a domain and all of its first-level subdomains. Whereas, a standard SSL certificate will only secure the domain that you bought the SSL certificate for and any subdomains will be left unprotected unless you purchase a Wildcard SSL certificate or additional SSL certificates for each subdomain.

For instance, let’s take www.SSL.com as an example. By purchasing a Wildcard SSL certificate for this domain, all you would have to do is add an asterisk (*) in the subdomain area located left to the common domain name and you can secure an unlimited number of subdomains for *.SSL.com, such as the following:

• protection.SSL.com
• safeguard.SSL.com
• security.SSL.com
• browsers.SSL.com
• internet.SSL.com

Overall, Wildcard SSL certificates is a great solution for those with multiple subdomains who want to save time, money, and to make the SSL administration process easier for securing their site. However, the drawback with Wildcard SSL certificates is that each subdomain is not individually protected. So if a certificate is revoked on one subdomain, other subdomains will be compromised and revoked as well.