Everyone has questions about products and services, including IT professionals, ecommerce site owners, website developers and even those do-it-yourselfers who are setting up an online website without professional support.
It can be surprisingly difficult to find simple, direct answers about SSL certificates. To help clear up the mystery and the confusion, here are the most commonly asked questions about data encryption and security.
SSL – What is It?
SSL or Secure Sockets Layer was originally developed by Netscape in the mid part of the 1990s. It is designed to allow the web server hosting your website and the browser on a user’s computer or device to create a secure pathway to transmit encrypted data.
The encryption is completed through the use of keys. One of the keys is private and this is securely maintained on your server. The other key is public. The two keys are mathematically related, which means they can only be used with each other, not with any other key.
Through this unique encryption and decryption process, data is secured from the web server to the client as well as through email systems. Data in transmission cannot be read, tampered with, forged or altered. This allows sensitive information such as personal information, credit or debit cards or even online banking to be secure, safe and trusted.
What is TLS?
TLS is the new version of SSL. It was originally deployed in 1999 and it is built on the same foundation as SSL. Even though most of the certificates are indicated to be SSL/TLS they are really TLS.
What are the Different Levels of Validation?
Different websites may have different needs for internet security protection for their clients and customers. The most basic level of validation is the domain level, where the CA verifies the applicant is the person with authority for the website.
The organizational level of SSL certificate demonstrates that the verification includes both the authority as well as verifies the organizational presence. This is the most common type of certificate online.
The EV or extended validation level is the most advanced. It validates the domain and organizational level requirements and also verifies the company exists as an actual legal business entity. This is the only level of SSL that offers the full green address bar for immediate recognition of the security of the site.
Does Every Website Need SSL?
Any website that has no risk of any issues with cyber security attacks, hacking or phishing does not need SSL technology. If you stop and think about that for a minute, you will realize that data protection security is required on most websites, including blogs and social media sites. Personal information that could be used for phishing attempts is often transferred through these sites, making them a target for a cyber security data breach.
The use of SSL also helps with trust and assurance for your clients and customers. It shows that you have an awareness of information technology security and are providing the measures to promote a safe online experience. Most consumers today won’t do business through a website without the green padlock or address bar associated with SSL/TLS.
How Important is the Certificate Authority?
The Certificate Authority (CA) plays an important role in the process. The CA is the entity that is approved to provide the SSL certificate based on the information provided in your application and with the Certificate Signing Request (CSR).
The CA completes the verification process, using specific protocols and requirements to validate the information on the CSR. This can now be done in just minutes for some types of certificates and through some CAs.
The CA also has a root certificate embedded in browsers and mobile devices. This means that any certificate they issue will be trusted in that browser and device. Some of the CAs have up to a 99.9% browser and device recognition, meaning visitors to the site will never see the unsecured site warning.
Where is the Certificate Signing Request Found?
The Certificate Signing Request is generated by your server. Depending on the type of server it may be accessed through the IIS (in Windows) or through OpenSSL for UNIX-based servers. This also generates the private key that has to stay secure and private on your server at all times.
It is also possible to generate the CSR through code. This will bring up a standard form where the applicant will need to input the specific information about the website and the business for the CA to verify.
This will include the Fully Qualified Domain Name, location, business name, contact information and other details. This is then submitted to the CA with their online application, payment and relevant documentation to obtain the certificate for installation.
What is a Site Seal and Does it Matter?
The site seal is a graphic that represents the CA and is provided by the CA with the certificate files. It can be installed to display on each page of the website, providing customers with a readily identifiable confirmation of the information security on the site.
Customers will look for the site seal for the CA on websites. Some CAs provide an additional feature where mousing over the seal brings up a small pop-up of the certificate for quick and easy review.
Author Bio: Vivek Ram is a Technical Blog Writer from Comodo. He writes about information security, focusing on web security, operating system security and endpoint protection systems.