Information is everything these days and if you have a website which stores or transmits customer data it is your responsibility to keep that data safe from would-be hackers, cons and the NSA (good luck with the last one!).
Securing your WordPress website is a great first step – read our WordPress Security Best Practices post, but how do you protect the data when it’s being transmitted between your website and the customer or another server?
By default the internet largely sends information in plain-text; that is, unencrypted. Data being transmitted between computers can easily be intercepted and if it’s not encrypted then Mr Hacker has just hit the jackpot.
Think about how many on-line forms you filled in last week. Perhaps it was a support form for a product you bought which now isn’t working, or you’re looking for a new house and registered with a property search site.
Surely you do banking and purchase stuff on-line?
How much of your personal and sensitive data are you entering into these forms? Name, DoB, house address, work phone, mobile phone, mothers maiden name?
You’re a wise one though and always check that the form you’re filling in is secure – you know – that little green padlock in the address bar – yes?
Green padlock = your data is being transmitted securely.
As a website owner, now it’s your turn to make sure that the same confidential data your customers are filling out on your website is transmitted safely and securely to wherever it is going.
Welcome to the wonderful world of SSL certificates.
If you need your website to transmit secure customer data and give your customers the security of knowing that, you’ll need to encrypt it and that is done by installing an SSL certificate on your website.
So, now you know that you need to purchase an SSL certificate (SSL cert) to keep your website data transmissions secure, but which one should you choose?
What Are SSL Certs?
Put simply, an SSL cert is an encryption key that a web server uses to encrypt and decrypt data transmissions between other computers. So rather than plain-text data being transmitted, if any would-be hacker did intercept your website data transmissions it would just look like gobble-de-gook. Happy days!
Ninja FactsWhat does SSL stand for?
Note: the SSL protocol has since been replaced by TSL but the old name has kind of stuck. In 2014 v3.0 of SSL (introduced in 1996 but still active on servers as a roll-back), was used in the POODLE attacks.
The SSL cert also tells and verifies to the browser which website it’s been purchased for.
So if you are visiting limecanvas.com, the SSL cert verifies that the website you are at is really limecanvas.com and not some hacker posing as 1imecanvas.com (did you spot the number 1 in the last domain name?).
SSL certs can be purchased from some Internet Service Providers (ISPs) or specialist security/telco companies and then have to be installed on the server which is hosting your website.
If a certificate is installed on a website server, it is activated by visiting a website page using https:// instead of the regular http:// protocol (the s standing for secure).
Most SSL certificates also come with a warranty value from the issuing company.
This means that if your encrypted data got stolen and the hacker managed to decrypt it, the company which issued your SSL will have to reimburse you up to the value of the warranty associated with the SSL cert.
Pending proof and likely court case.
But it’s a good insurance to have as you can imagine the horrible outcome to your business that would result in customer data theft, especially if it wasn’t your fault!
Ninja FactsSSL Warranties
Huh – 2048 or 256 bits?
The 2048-bit is about the RSA key pair in the cert: RSA keys are mathematical objects which include a big integer, and a “2048-bit key” is a key such that the big integer is larger than 22047 but smaller than 22048.
The 256-bit is about SSL. In SSL, the server key is used only to transmit a random 256-bit key (that one does not have mathematical structure, it is just a bunch of bits)
The cert encryption process is something like this. The client generates a random 256-bit key, encrypts it with the server’s RSA public key (the one which is in the server’s certificate and is a “2048-bit key”), and sends the result to the server. The server uses its private RSA key to reverse the operation, and thus obtain the 256-bit key chosen by the client. Afterwards, client and server use the 256-bit to do symmetric encryption and integrity checks, and RSA is not used any further for that connection.
Breaking the encryption keys in an SSL cert using a brute force attack would require a huge amount of computing power to try and guess all the different combinations – see how long. The NSA is likely exempt though 😛
Just like domain names and hosting, SSL certs are certified for a minimum of 1 year and have to be renewed, reissued and reinstalled on the server for each renewal cycle you have chosen to purchase.
So to sum up what an SSL cert does:
- Encrypts data transmissions to and from your website using https://
- Ensures your visitors that they are indeed on the real site and not a spoof one
Which Type Of SSL Cert To Use
There are generally three types of SSL certs available.
Domain Validation (DV)
These types of certificates are usually the simplest to get and generally the cheapest. They provide an SSL cert for a single domain such as www.example.com.
Note: if you also need an SSL to cover multiple subdomains such as host1.example.com and apps.example.com you will likely need to look at getting a wildcard SSL cert.
A Domain Validation SSL certificate is usually issued after proof of domain ownership has been demonstrated.
The SSL issuing company, often known as the Certificate Authority (CA), will usually send an email to the administrative address stored in the WHOIS record of the domain.
Once the domain owner responds to the CA email, the SSL cert is usually issued there and then – this is largely an automated process.
In this case, when the SSL cert is installed and being used the web browser will show a padlock but won’t show the company name as this has not been checked and validated.
The Lime Canvas website runs on a DV SSL cert and shows the green padlock but not the Lime Canvas name in the green bar. You have to click on the padlock to see that the domain is verified by the SSL cert.
DV certs usually come with an ~$10,000 USD warranty from the CA. This is protection for you in the unlikely chance that hackers manage to steal and decrypt your SSL cert encrypted data.
Ninja FactsDon't have a green padlock?
You Got No Green Padlock Guys!
Those who have a keen eye will likely notice that if you visit the Lime Canvas homepage using SSL we don’t have a green padlock. Why? Does that mean it’s not secure?
Yes and no.
Yes it is using the https protocol and that is encrypting transmissions securely – yay.
No in that there are elements on the web page which are being called from http (i.e. not the secure https). These elements aren’t being encrypted.
Using an SSL for an ecommerce checkout page is the normal now but using SSL for general web page browsing is still a relatively new idea. It’s much easier to make sure that a single page has all its links pointing to https than it is for an entire site.
Not wanting to get sidetracked too much, the short answer is that some WordPress plugins and core functions don’t check to see if the client is browsing in https mode and just spit out http URLs. It only takes one http request in the source of a web page to stop the green padlock from showing. Click on the padlock and the browser will tell you as much.
Organisational Validation (OV)
These types of certificates often take a while to be issued because the CA will make multiple checks to verify that your company is a valid company as well as owner of the domain you want the SSL cert for.
The CA will require proof to validate the company name, domain name and contact details via various online public databases.
Because of the additional (and likely manual) checking, the cost of OV SSL certs are often a lot more than the DV SSL certs.
When purchasing these types of certs, you will often also be given a “Secure Site Seal”. This is usually in the form of a logo from one of the major recognised CA’s and sometimes a URL link which points to the validation information that the CA has collected.
Secure Site Seals are usually placed on your website to gives additional confidence to your website visitors. If there’s a click through to validate the company information, that’s a bonus for you.
e.g. Comodo Secure Site Seal image
Visually OV certs don’t look any different in the web browser address bar from DV certs but they usually do come with larger ~$50,000 USD warranty value against data decryption and theft.
Extended Validation (EV)
These types of certificates are the most expensive. The CA undertakes a very detailed check of your company. On top of the same checks done for OV, the CA will likely ask the owner for proof of the legal entity that controls the website, this could include bank statements and public company tax returns for Limited and large incorporations, verification of physical address, jurisdiction of registration or incorporation, company registration number/details and any other related information that will help to it to validate your company.
By providing more reliable third-party verified identity and address information regarding the business, EV certs help to make it more difficult to mount phishing or identity fraud attacks by providing companies with a tool to better identify themselves to users.
Because of the extensive vetting, the issuing of EV SSL certs takes a lot longer than any of the others. Saying that, they do usually come with the larger ~$1.75m USD warranty value against data decryption and theft.
The advantages to obtaining this type of cert is that your company name will appear in the green bar giving your visitors a strong visual guide to validate that they are on the correct site. Here’s PayPal’s website address bar as it appears in the Chrome browser – note the addition of “PayPal, Inc. [US]” alongside the green padlock and the confirmation that this is an EV cert.
This is the minimum certificate recommended for ecommerce transactions as it provides the consumer with additional information about the business.
Note: Different browsers have different ways of displaying SSL certs in their address bars. They mostly all use green in some context.
CA Provider & Domain Type
Great, you’ve decided on which type of SSL to go for; DV, OV or EV. But there are a few more things you need to decide on before final purchase:
There are three types of SSL cert that can be issued depending on which type of domain(s) you need the cert for. There will be a price difference depending on which case you need the cert for.
- Single domain
This is usually the cheapest option and will issue a cert for www.example.com only. So anything other than “www.example.com” typed into the web browser will not active the SSL cert.
Fine for those who have a single website.
- Multiple domains
This is usually the medium price option and is ideal if you have a large number of different domains (typically up to 100) that you want to bring together under a single SSL cert.
e.g. www.mycompany.com, www.mycompany.org, www.mycompany.net, www.mycompany-app.com, www.spinoff.biz
If you host multiple sites on a VPS and want to give your clients cPanel access through their respective domain names, this is the server cert you’ll need.
- Wildcard domains
This is usually the most costly option. It gives you the ability to certify any subdomain under a main domain. They are issued to *.example.com with * being any subdomain name you choose.
e.g. server1.example.com, server2.example.com, tasteycheeseapp.example.com
If you have a staging server where you set up client testing on a particular subdomain, this is a useful cert to have.
Resign & Reissues
Reissuing is the ability to resign and reissue your SSL certificate. You will find that some of the very cheap SSL certs don’t offer this, so you get issued with the SSL cert once and that’s that until it expires. If you need it reissued you’ll have to pay the issuer to do that.
Sometimes reissuing an SSL cert before the normal expiry is necessary. An example of this was the 2014 POODLE vulnerability. It was possible for hackers to read the unencrypted server key. This lead to all server administrators having to resign, reissue and reinstall server SSL certificates as the current ones could have become compromised.
So look at the description of the SSL certs on offer and decide whether you want to pay a little bit more to have the ability to resign and reissue your certs whenever you need to.
Issuing Certificate Authority
Lastly (I promise!) some issuers allow you to choose an SSL cert issued from the many different certificate authorities. Essentially, you’re paying for branding or “the name” of the CA, so that when a customer visits your secured site they recognise that particular CA and associate that with being safe.
Some of the top CA’s are: Thwate, GeoTrust, Comodo, RapidSSL, Symantec (bought Verisign), GobalSign, Go Daddy and DigiCert. There are hundreds more.
How To Use Your SSL Certificate
Ok you have your SSL cert – now what?
Once your SSL certificate has been issued to you it will need to be installed on the server and the website domain(s) that your SSL cert is intended for.
Most ISP’s will happily bill you for this installation service.
If you have your own unmanaged VPS you will need to install the certificates manually. Once you know what to do, it’s a 10 min job and the certificate is ready to use instantly.
Have you bought or installed an SSL cert? What was your experience like?
Leave a comment below.