What is SSL, TLS and HTTPS?
What is an SSL Certificate?
SSL stands for Secure Sockets Layer and, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).
It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.
TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from Fast SSL you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.
HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.
An SSL certificate is installed on the server side but there are visual cues on the browser which can tell users that they are protected by SSL. Firstly, if SSL is present on the site, users will see https:// at the start of the web address rather than the http:// (the extra “s” stand for “secure”). Depending on what level of validation a certificate is given to the business, a secure connection may be indicated by the presence of a padlock icon or a green address bar signal.
Google now advocates that HTTPS, or SSL, should be used everywhere on the web and, as of 2014, the search engine has been rewarding secured websites with improved web rankings, another great reason for any site to install SSL.
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. When you buy an ‘SSL’ certificate from Fast SSL, you can of course use it with both SSL and TLS protocols.
Levels of business authentication
As well as encryption, Certificate Authorities (CAs) can also authenticate the identity of the owner of a website, adding another layer of security. The SSL certificate is then used as proof of the company’s identity. Certificates can be divided into three authentication groups, based on the level of authentication, which are:
Domain Validation (DV)
Perfect for blogs, personal websites, and Facebook apps. It does not verify the site owner information and is not recommended to be used for e-Commerce or sites that have a user login.
- Easy to activate
- Available in 15 minutes or less
- No paperwork needed
Organization Validation (OV)
Ideal for securing sites that take in customer info and require login credentials. Site owner information is verified by the Certificate Authority.
- Company information inside SSL details
- Visitors can check company/organizational information, ensuring greater user trust
- Paperwork needed
Extended Validation (EV)
Recommended for sites requiring encryption for more sensitive customer information, such as credit cards. Site owner information is more thoroughly vetted by the Certificate Authority.
- Company information inside SSL details
- Highest Trustworthy feature available
- Paperwork needed
Number of Domains Secured
Single Domain SSL
Single domain SSL certificates provide security for a single unique domain name or one subdomain. For example:
domain.com or domain.us or domain.org or subdomain1.domain.com or subdomain2.domain.com
Wildcard SSL MOST POPULAR
Wildcard SSL certificates allow site owners to provide security for multiple subdomains on a single unique domain. A wildcard SSL certificate issued to *.domain.com can be used to secure hostnames such as:
domain.com; www.domain.com; login.domain.com; mail.domain.com
Multi-Domain SSL TRENDY
Site managers with multiple domains can use a multi-domain SSL certificate to secure several websites by including many domains on one certificate. It’s ideal for organizations with multiple unique domains hosted on a single server. For example:
blog.mysite.com, secure.mysite.co.uk, payment.mysite.net, blog.mysite.org
How does an SSL certificate work?
The basic principle is that when you install an SSL certificate on your server and a browser connects to it, the presence of the SSL certificate triggers the SSL (or TLS) protocol, which will encrypt information sent between the server and the browser (or between servers); the details are obviously a little more complicated.
SSL operates directly on top of the transmission control protocol (TCP), effectively working as a safety blanket. It allows higher protocol layers to remain unchanged while still providing a secure connection. So underneath the SSL layer, the other protocol layers are able to function as normal.
If an SSL certificate is being used correctly, all an attacker will be able to see is which IP and port is connected and roughly how much data is being sent. They may be able to terminate the connection but both the server and user will be able to tell this has been done by a third party. However, they will not be able to intercept any information, which makes it essentially an ineffective step.
The hacker may be able to figure out which host name the user is connected to but, crucially, not the rest of the URL. As the connection is encrypted, the important information remains secure.
- SSL starts to work after the TCP connection is established, initiating what is called an SSL handshake.
- The server sends its certificate to the user along with a number of specifications (including which version of SSL/TLS and which encryption methods to use, etc.).
- The user then checks the validity of the certificate, and selects the highest level of encryption that can be supported by both parties and starts a secure session using these methods. There are a good number of sets of methods available with various strengths – they are called cipher suites.
- To guarantee the integrity and authenticity of all messages transferred, SSL and TLS protocols also include an authentication process using message authentication codes (MAC). All of this sounds lengthy and complicated but in reality it’s achieved almost instantaneously.
How to know if SSL is needed
The fact that Google is pushing for HTTPS across the web and prioritising sites that have an SSL certificate probably indicates just how much SSL is needed, but here are some other top reasons for getting an SSL certificate.
According to Business Insider 74% of shopping carts are abandoned but up to 64% can be recovered with better checkout security and flow. Many of these 64% are more likely to complete a purchase if they know the checkout area is secure. That’s not a number businesses can afford to ignore. Even if they’re only using SSL for their checkout area, it’s well worth it.
If sites offer membership or anything that involves collecting email addresses and other sensitive information, then SSL is a good idea. It’s always sensible to keep customer information as safe as possible.
If forms are used
The same applies if they use any kind of form where users will be submitting information, documents, or images. It is surprising how much information is collected about a site’s visitors, so it’s worth keeping it safe.
If it’s simply a blog or a standard ‘info only’ kind of site, HTTPS can help to protect the security of sites, reducing the risk or tampering and intruders injecting ads onto the page to break user experience. Plus, it really can’t hurt in terms of search engine rankings.
Does SSL work across all devices?
In short, the answer to this question is yes it does. Of course, there are some configurations that will not work 100% so it is can be valuable to talk with the Certificate Authority’s sales team if unsure.
Devices and operating systems
Again all of the big operating systems for computers, tablets and mobile phones are supported. However, in the case of mobiles, it might be that some older devices won’t support newer SSL or TLS protocols so it’s worth doing the research to ensure maximum compatibility. The SSL certificate provider can help with this if there are any doubts.
People use a range of different browsers (Chrome, Firefox, Safari etc) to access web content. Just as sites are created to work on all browsing platforms, SSL/TLS from a reputable provider will also work in 99% of cases. Unless users are accessing the site from very niche browsers, all the big names will be covered.
Thanks to the way SSL works, servers don’t really need to have root certificates embedded but you will need to install the corresponding intermediate certificate(s). As long as the certificate is installed correctly, it can be supported by any server. It’s up to the browser to determine if it’s trusted or not during the handshake process.