SSL Certificate FAQ: What is SSL and How does it Work?
All leading Certificate Authorities (CA), They have been helping webmasters secure their sites for years. Here's what you need to know to get started.
Q: What is SSL?
A: Secure Sockets Layer (SSL) is a protocol for enabling data encryption and site authentication on the Internet. Credit card numbers, health details and other sensitive information is transmitted only after being converted into a secure code. Domain authentication reassures site users that they're actually interacting with the site identified in the URL bar. Without SSL, online transactions would be vulnerable to interception by unauthorized parties. These hackers or identity thieves could also more easily imitate a legitimate website. SSL is most commonly used to protect communications between web browsers and servers. However, it is also used for server-to-server communications and for web-based applications.
Q: What is a Certificate Authority?
A: A Certificate Authority (CA) issues SSL certificates to organizations or individuals after completing a verification process. Each Certificate Authority has different products, prices, certificate features, and levels of customer satisfaction, but there are only a handful of things you need to look at when deciding which one to use. Because most Certificate Authorities offer products with similar features, the most important thing to compare when deciding on a Certificate Authority include customer service, price, and security reputation.
Q: What is a high assurance certificate?
A: There are two things that must be verified before you can be issued a high assurance certificate: ownership of the domain name and valid business registration. Both of these items are listed on the certificate so visitors be be sure that you are who you say you are. Because it requires manual validation, high assurance certificates can take an hour to a few days to be issued.
Q: What is a low assurance/domain-validated certificate?
A: A low assurance/domain-validated certificate is a certificate that only includes your domain name in the certificate (not your business or organization name). Certificate authorities usually can automatically verify that you own the domain name by sending an automated email to an email address listed on the domain's WHOIS record. They can be issued instantly and are cheaper but, as the name implies, they provide less assurance to your customers.
Q: What is a Wildcard SSL certificate?
A: A wildcard certificate can secure an unlimited number of first level sub domains on a single domain name. For example, you could get a wildcard certificate with *.yourdomain.com as the common name. This certificate would secure www.yourdomain.com, mail.yourdomain.com, secure.yourdomain.com, anything.yourdomain.com, etc... In other words, it will work on any sub-domain that replaces the wildcard character (*).
Q: What is an EV (Extended Validation) certificate?
A: An EV Certificate is a new type of certificate that is designed to prevent phishing attacks. It requires extended validation of your business and of the person ordering the certificate. It can take a few days to a few weeks to receive but it provides even greater assurance to customers than high assurance certificates by making the address bar turn green.
Q: How long are SSL certificates valid?
A: In general SSL certificate can be validated for terms of 1 year. You can then renew the certificate.
Q: How long does enrollment take and how soon will I be able to secure my site?
A: An SSL certificate may be issued within minutes of submitting your enrollment information as long as the information is correct and the authorized administrator responds promptly to the confirmation email. Most Certificate Authorities are using an authentication process to verify domain control validation.
Q: What is domain control validation?
A: The Certificate Authority will confirm domain control by sending an email to the administrator listed with the registrar for the domain. If the authorized administrator does not reply, a second email will be sent to an email address at the domain such as info@ or support@. (You may select a secondary email address during the enrollment process.) In addition to validation by email, you will be asked to provide a telephone number where you can be reached immediately after submitting your enrollment. If everything checks out, the SSL certificate is issued.
Q: What is data encryption and why are there different levels?
A: Encryption is a mathematical process of coding and decoding information in order to keep data secure while traveling between computers. If raw, unencrypted data is sent, anyone who intercepts the information can easily understand it. The number of bits (40-bit, 56-bit, 128-bit, 256-bit) tells you the size of the key. Like a longer password, a larger key has more possible combinations. When an encrypted session is established, the encryption level is determined by the capability of the web browser, SSL certificate, web server, and client computer operating system.
Q: How do visitors know if a website is using SSL?
A: When a browser connects to a secure site it retrieves its SSL certificate and checks that it has not expired, that it has been issued by a Certificate Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user. If it succeeds, several security indicators are built into modern browsers to indicate that SSL is enabled.
The beginning of the URL or web address changes from http:// to https://
The address bar will turn green and display the name of the website owner when connecting to a website protected by an Extended Validation SSL certificate.
In addition, a trust mark such as the SSL site seal may be added to web pages on a secure site.
Q: What does browser recognition mean?
A: When a browser or operating system encounters an SSL certificate, it checks to make sure that the certificate is valid and trusted. An SSL certificate is trusted if the browser contains a corresponding pre-installed root certificate. If a browser does not contain the root certificate, a security warning will alert the end user.
Q: What is a public/private key pair?
A: SSL uses unique cryptographic key pairs: each key pair consists of a secret private key and a related public key. Information encrypted with a public key can only be decrypted with the corresponding private key, and vice-versa.
Q: What is a certificate signing request or CSR?
A: A CSR is a public key that you generate on your server according to your server software instructions. If you do not have access to your server, your web host or internet service provider will generate it for you. The CSR is required during the SSL certificate enrollment process because it validates the specific information about your web server and your organization.
Q: Do I need my own SSL certificate?
A: If your website is a collection of pictures of your goldfish Rudy and doesn’t require visitors to log in, you probably don't need SSL. If you have a login form or handle personal information or just want to look more trustworthy, then you need SSL. If you run an e-commerce website where people provide you with credit card information directly on your site, you absolutely need SSL.