What is SSL?
SSL is the acronym of Secure Sockets Layer, which is the technology used to protect the information shared between a user and a web server. It safeguards any kind of sensitive data shared between two systems which in turn prevents the reading/modifying of our information shared on the internet.
The information shared can be either between a client and a server(like entering our credit card information in an e-commerce website) or between server to server(a system with personal details of employee or payroll information).
We can identify whether a website has SSL or not by checking its URL. If a website has an active SSL certificate, then it will have “HTTPS” in its URL. Websites without SSL will have only “HTTP” and it is very unsafe to enter any personal information (or) credit/debit card information there since they are not encrypted by SSL.
In the URL, we can see “Not secure” if the website does not have SSL certificate and a lock icon, if the website has SSL certificate.
Websites without SSL(not encrypted websites), pass data as plain text and can be read by anyone who is watching the web traffic.
SSL or TLS
SSL is the predecessor of the protocol TLS, which stands for Transport Layer Security. In other terms, TLS is an updated and more secure version of SSL. Way back in 1995, SSL was used to provide encryption between two systems.
But over time, Internet Engineering Task Force (IETF) proposed an update in SSL and since Netscape was not involved , SSL was changed to TLS. But there was no major difference between the final version of SSL and the initial version of TLS.
SSL and TLS are more often confused between one another. Still many prefer to identify their encryption certificate used as “SSL Certificates” or “SSL/TLS Encryption” because of SSL’s name recognition. The name change from SSL to TLS was done more to signify their change in ownership.
Is SSL up to date?
SSL has not been updated since 1996 and is now deprecated. SSL protocol has more vulnerabilities and is not recommended by security experts. Even modern web browsers dont support SSL certificates anymore.
TLS is the up-to-date encryption protocol which is predominantly used currently even though it is referred as “SSL encryption” due SSL’s name popularity.
We still can see many vendors provide TLS encryption in the name of SSL regardless of the fact that TLS is the encryption used for more than 20years in the industry.
It is because many people still search for the term “SSL” rather than TLS because of SSL’s name popularity, which inturn makes the SSL term stands featured prominently in the product pages.
How does SSL work?
Whenever a web browser reaches a website, it will check the SSL certificate for that website. If SSL is present, then a SSL handshake happens.
SSL handshake is an authentication process between two systems to ensure that they have privacy and data integrity between them to proceed with the further process of sharing the information which may contain login information, personal information of individuals or payment details like credit/debit card or any other kind of information which needs lot of security while sharing over the internet.
- During SSL handshake, two keys such as Private key and Public key helps in handling the encryption and decryption.
- SSL handshake confirms whether the website is authenticated and is safe to transfer data.
- Once the SSL certificate is confirmed, then a session key is created by the client and the server.
- Finally, a secure connection has been established after the SSL handshake.
- The data can now be safely shared across the internet.
The SSL encrypts the data so that even if anyone tries to intercept the data, they can see only a mix of characters which is very harder to decrypt.
SSL certificates works on Public key Cryptography. There will be two types of keys,one is private key and the other, public key. Private key is owned by our server which encrypts the data sent from our server. Then it will then be decrypted by the Public key in the receiver end.
Types of SSL Certificates
SSL certificates are generated and issued by Certificate Authority(CA).There are six types of SSL certificates. They are as follows:
Extended Validation Certificate:
Extended Validation Certificate(EVSSL) is the highest ranking but at the same time most expensive certificate.
EVSSL certificates can be used in all kinds of applications where an added trust and strong security is needed.
In EVSSL, the Certificate Authority(CA) will check the rights of the website to own their domain and also it undergoes a thorough identification process to confirm their ownership with the domain.
Organization Validation Certificate:
Organization Validation Certificate(OVSSL) mainly encrypts sensitive data during transactions. They stand next to EVSSL in the cost.
Similar to EVSSL, Organization Validation Certificate also used to validate business credibility.
To obtain them, website owners have to complete a substantial validation process administered by Certificate Authority(CA).
OVSSL certificates are mainly required by commercial apps which store customer information.
Domain Validation Certificate:
Domain Validation Certificates have low assurance and minimal encryption when compared to other SSLs. Hence the validation process to obtain this certificate also is very minimal.
Since these certificates are least expensive and very easy to obtain without going through tedious process, these websites are owned by blogs and other informational websites which do not require to provide any assurance to visitors.
Wildcard SSL Certificate:
Wildcard SSL certificates are available as both Organization Validated and Domain Validated and are used to secure a base domain and unlimited subdomains.
Buying a Wildcard SSL Certificate is cheaper instead of buying multiple single domain certificates.
Wildcard SSL has an asterisk as a part of their common name which represents any valid subdomain that has the same domain.
Users can purchase either Organization Validated or Domain Validated Wildcard Certificates based on their business needs.
Multi-Domain SSL Certificate:
Multi-Domain SSL Certificate can secure multiple domain names(upto 100 different domain names) and subdomains using a single certificate. This will surely save a lot of time and money.
Domain Validated, Organization Validated, Extended Validated, and Wildcard certificates can be upgraded to secure multiple domains.
Unified Communications Certificate:
Unified Communications Certificates (UCC) are also considered Multi-Domain SSL Certificates and also have the same benefits as they do. Unified Communications Certificates can be used as Extended Validated SSL certificates.