What do you need to know about SSL?
SSL, or Secure Sockets Layer, is a standard security technology used to establish a secure, encrypted link between a server and a client. For example, SSL can be used between a web server and a browser, or a mail server and a mail client like Outlook and Thunderbird.
Using SSL allows your website and your visitor’s browser to transmit private, sensitive information without the worry of eavesdropping, web forgery, and data tampering.
Is the website using an SSL connection?
To know if a website is using an SSL connection, you can check it via your browser’s address bar. In the address bar, you will see a padlock before the website address. Instead of HTTP://, the website’s address will begin with HTTPS://. A website using an SSL connection can also be indicated by a green address bar.
Why is SSL important for a website?
The primary importance of installing an SSL Certificate is to initiate a secure session between a web server and a browser. Once a connection is established, the information between the web server and a site’s visitor will be kept private and secured (encrypted).
Other SSL advantages:
- Improves customer’s trust. The little padlock assures customers that their information will not be compromised. The data will be sent to the intended target servers, and it will not be redirected to unauthorized third parties. Before getting your certificate, the CA will verify your authenticity as it only distributes SSL certificates to genuine companies and businesses.
- Protects information against phishing attacks. Phishing sites are identical copies of a genuine site that aim to steal your information through that identical website. PayPal is oftentimes copied by these phishing sites. You will notice that they have the same look, but the website address is different, and it is not secured through an SSL connection. Even if this phishing site tries to purchase an SSL for their site to make it look secured, they won’t be able to do so. A validation team aids and uncovers malicious sites that shouldn’t be awarded an SSL certificate.
- Better search engine rankings. HTTPS is now considered as a ranking signal by one of the biggest search engines in the world, Google. If you’re doing optimization, you should consider getting an SSL certificate to help boost your rankings, especially for ecommerce sites.
To understand how secure SSL works on a website, here’s an easy-to-understand graphic that explains how SSL functions once implemented on a website, or simply how an ‘SSL handshake’ occurs:
Here’s how it goes:
- A browser connects to a website secured with SSL. The browser requests the server to identify itself.
- The server returns and sends a copy of its SSL Certificate and its public key.
- The browser checks the certificate root to find if it belongs from a trusted CA. It also checks if the SSL certificate is unexpired and unrevoked. Moreover, it checks if its common name is valid for the website itself.
- Once the browser confirms that it can trust the website, it creates, encrypts, and sends back a symmetric session key using the server’s public key.
- Now, the server decrypts the symmetric session key using its private key.
- In return, the server sends back an acknowledgment encrypted with the session key to start the encrypted session.
- Now, all transmitted data are now encrypted between the server and the browser through its session key.
Who issues SSL Certificates?
A Certificate Authority (CA) issues SSL certificates, along with other digital certificates. They confirm the identity and ownership of the business or company applying for the certificate.
These issued certificates are chained to a trusted root certificate owned by your chosen CA. Trusted root certificates are embedded in a “certificate store” in popular web browsers such as Firefox, Chrome, Internet Explorer, and Safari.
If you remember how does SSL work, this is how your browser counterchecks the root certificate to its recognized certificate store. In the event that a browser does not recognize the root certificate, it will warn the user that the connection is not secure. This is why we recommend purchasing an SSL certificate only from trusted CAs.
How to implement SSL on your website?
SSL is easy to set up! Once you have it installed, all you have to do is to route your visitors to use HTTPS instead of your old HTTP address. Generally, these are the steps on installing your new SSL certificate.
- 1. Select a hosting plan with a dedicated IP address
SSL certificates require you to host on a dedicated IP address. Upon registering your hosting plan, you might have opted for a shared hosting plan. If your plan does not have a dedicated IP, contact your web host for an upgrade or for other options.
- 2. Purchase a certificate from a trusted CA
Again, purchase an SSL certificate from a trusted Certificate Authority (CA) like Comodo SSL.
- 3. Activate and install the SSL certificate
If you purchased an SSL certificate from your web host, they can do this step for you. However, if you’re the administrator of the website, you can activate the SSL for yourself through your WHM or cPanel. Search for the SSL/TLS option in your dashboard. Generate your Private Key first, then click on Certificate Signing Requests (CSR). Make sure to fill out the form on the screen, with “Host to make cert for” as your domain name.
Remember to save the Signing Request code (first box of code); the CA will need this from you to properly identify your site. Activate it from your SSL issuer account, fill out the necessary fields, and wait for your certificate via email. You should receive it a .crt file.
Installing the certificate through WHM and cPanel is easy peasy through the SSL/TLS Option, but here is another guide on SSL Certificate Installation on Different Web Servers. This guide has instructions on different server software types such as Apache, Apache on Cobalt, BEA, C2Net Stronghold, Ensim, F5, Hsphere, IBM, Microsoft, Novell, Plesk, SSL Accelerator, Website Pro and Zeus.
4. Update to HTTPS
Congratulations! Your website is now on HTTPS! But wait, there’s more!
Modify your website such as your visitors are accessing the site through HTTPS. Keep in mind while it’s not necessary to serve the whole site on HTTPS, make sure that pages that collect private information are on HTTPS, such as the login page or the checkout page(s).
Different Levels of SSL Certificates
Because of the different demands of websites worldwide, SSL certificates have expanded its uses into different types of SSL. The different security levels of SSL certificates are Domain Validated certificates (DV), Organization Validated certificate (OV) and Extended Validation certificates (EV).
Each SSL has varying levels of user trust. Let’s talk about these levels of user trust and what Comodo has to offer for each level.
Domain Validated certificates (DV) provide the lowest level of validation from certificate authorities. Usually, these are automatically validated; meaning, anyone can avail these kinds of SSL certificates. Availing a DV certificate usually is faster and cheaper compared to OV and EV certificates.
Small to medium sized businesses can benefit from DV certificates if they aren’t concerned with security, due to protected internal systems, etc.
OV certificates are considered trusted websites. In applying for an OV certificate, real agents verify applications against a legitimate business registry. Websites with an OV certificate contain legitimate business information. This certificate is required on commercial or public facing website.
Example: Wildcard SSL
An Extended Validation or EV SSL offers the highest level of trust and authority to your website.
Aside from the regular padlock on your address bar, you will notice the company’s name also displayed near your website’s URL. In some browsers, the address bar turns to green.
Because of the strong guarantee that an EV SSL shows, the process to apply for this SSL is strict. A business will undergo a process where he will prove his eligibility and legitimacy in representing that business and using that domain. Prominent business websites are often targeted for phishing attacks, such as major brands, banks or financial institutions, can benefit from an EV SSL.
Any website collecting data from their users, processing logins or payments, and even eCommerce websites should use EV SSL.
Examples: Compare Different SSL Certificates
Where do I get an SSL Certificate?
To get an SSL Certificate, you should avail one from a trusted Certificate Authority. Remember how a browser checks the root certificate of a website against its own certificate store? Trusted CAs are already listed automatically in a browser’s certificate store.
Users will immediately notice if a website is using a certificate from an untrusted CA. The browser will inform the user that the connection between them and the website is not secure.
Major web browsers and operating systems like Apple, Microsoft, Mozilla, Chrome, Opera, etc., recognize and trust Comodo as a legitimate Certificate Authority that issues trustworthy SSL Certificates.
For over 14 years, Comodo SSL certificates has made it possible for different websites to have their website secured with their different demands on their level of security.
Frequently Asked Questions about SSL and SSL Certificates
Typically, you can only secure one domain or one subdomain to one SSL certificate. But if you need to secure different subdomains under one domain name, a Wildcard SSL certificate is the one you need. A Unified Communications (UC) certificate can secure several domain names in only one certificate for Microsoft Exchange 2007 or higher.
SSL can only secure the connection between a server and the client, but it has no control over the security of the server. In other words, SSL secures the transmission of information from the browser to the server. If the server or the client (user) is attacked directly, SSL has no security over them. Either implement a good IT security policy and/or install a security program on the user’s side.
It protects the information sent to you by the user from the page you have SSL or HTTPS on. It prevents 3rd parties from eavesdropping on the communication between the user and the site.
Yes, you can. A Free Trial SSL is just the same as what we provide for purchased SSL certificates. Trial SSL certificates are usually time-restricted, either for 30 days or 90 days (Comodo provides 90 days of FREE SSL).
With Comodo, we carry out a two-step validation process. We employ a stringent validation process to ensure issuance practices are followed. We may ask details about your business and your website, and more.
If we have a record of your details, we will be able to expedite your SSL application - mostly in a few minutes. However, if we think we do not have sufficient information on your business, we will take around 2 days to validate your application.