How SSL Works
With all the reasons you might want an SSL certificate, let’s discuss a little bit about how SSL actually works behind the scenes, without getting too technical.
When a browser requests an HTTPS page, there’s a process between the browser and the web server known as a “handshake.”
This handshake involves sending a certificate and the browser checking its authenticity.
Here are the steps:
- The server identifies itself to the client.
- The client identifies itself to the server.
- The client authenticates the server certificate and sends a “pre-master secret” to the server.
- The server decrypts the master secret.
- The client and server establish an encrypted session.
Think of the browser as a convenience store clerk and the server as someone who’s trying to buy a case of beer. The clerk is obligated to check the ID of anyone trying to buy alcohol, so it asks the patron to provide it. The clerk then checks to make sure that the ID is authentic.
Public key encryption
Let’s See Some ID
The browser has a list of pre-approved CAs it uses to determine if a certificate is valid. After the browser accepts the certificate, a secure session is established. This process of validating a certificate is known as a “handshake.”
This is obviously a simplified example, but it should give you a basic idea about how it actually works.
It’s a little more complicated behind the scenes. A server doesn’t actually send its certificate over. SSL makes use of public-key cryptography, a major breakthrough dating back to the 1970s. The server has two copies of its certificate: a public key and a private key.
The public key is the one that gets passed around. It’s matched to the private key, which stays safe and secure on the server. Doing it this way lessens the risk of the certificate getting compromised.
To actually get a certificate, you need to install a Certificate Signing Request (CSR) on your server. This will generate the key pair.
Much as the ID is certified by a state or national government, there are various Certificate Authorities (CAs) that will “sign” a certificate, vouching for their authenticity.
The CA stores the public key, while the private key stays on your server. Some of the best known CAs are Comodo, DigiCert, GoDaddy, and GlobalSign.
It is possible to “self-sign” a certificate, but when the user visits a site with one, they’ll get an error warning that the site may be unsafe. In most cases, the browser will even block it.
With all the cyberattacks around, browser makers figure they can’t be too careful.
How To Get Certificates
Since fewer people actually manage their own web servers these days, it’s more likely your web hosting company will take care of this for you. Your hosting provider will also likely offer a certificate, perhaps even throwing one in free as a perk of service.
If you need one, there are third parties that will be happy to sell you a certificate.
We’ll look at the various options you have for certificates later on.
Types of SSL Certificates
We’ll now take a look at the types of SSL certificates that are available.
First, let’s look at the components of an SSL certificate.
While we’ve been speaking of a single SSL certificate, there are actually three certificates involved.
The first one is the root certificate. This certificate is held by the CA.
The second is the server certificate. If the name isn’t too obvious, this certificate is the one that’s installed on your web server.
To tie these two certificates together, the intermediate certificate is used. This serves as a go-between the server certificate and the root certificate.
Now we’ll look at the types of certificates that you can get.
This one is less commonly used on the web, but this type of certificate is used on a proxy server. Such a server might be used in a company to filter outgoing and incoming internet traffic.
It might also be used by people who want to disguise the origin of their web traffic. They might want to do this to access resources that might be blocked in their country.
A shared certificate is, as the name suggests, shared among different people.
In the context of a web hosting provider, this might be among the customers on a particular physical server or across an entire hosting provider, at least the ones that don’t have their own certificates.
They’re most common on shared hosting plans. As with shared hosting platforms, they’re best suited for people just starting out on the web or are running a website as a hobby.
If you’re content with running a smaller website and aren’t planning on actually selling anything over the web, you would probably be happy with a shared certificate.
|SSL Type||Website Size||Visitors||Website Type|
|Shared SSL||Small to mediocre sites||Low volume||Leisure or hobby|
|Free Private SSL||Small to medium sites||Moderate volume||Serious, non-e-commerce|
|Paid Private SSL||Larger or growing e-businesses||High Volume||E-commerce or affiliate|
Free SSL Certificates
Is it possible to get an SSL certificate for free? You might think this might be too good to be true, but it’s more of a reality each day.
Where To Get Free SSL Certificates
There are two types of free SSL certificates: free certificates from your provider or certificates from Let’s Encrypt, mentioned later in this article.
A certificate from your provider might be a shared certificate mentioned earlier or one dedicated to your website under a dedicated hosting plan.
From Your Hosting Provider
It’s becoming more common for providers to offer free SSL certificates. A lot of providers are participating in the Let’s Encrypt project. Since it costs them next to nothing, it makes a lot of sense for providers to give them away.
A similar project is CACert. It’s a similar project with similar goals: spreading HTTPS as wide as possible through automated certificates. The main difference from Let’s Encrypt is that CACert is a community-based project.
What About Let’s Encrypt?
Let’s Encrypt is a project to get websites to use HTTPS as much as possible. This move comes out of a concern over internet privacy in the wake of cyberattacks and revelations of internet surveillance by the US National Security Agency, including spying on key allies.
One barrier to widespread use of HTTPS has been the expense of SSL certificates. The cost in both time and money has been out of reach of smaller website operators. In the past, it was mainly used for e-commerce pages to keep credit card information.
Let’s Encrypt is supported by many major hosting providers and other internet companies.
How Let’s Encrypt Works
Let’s Encrypt simply involves installing a client program on a web server. A certificate is issued for 90 days. That might seem like a short time, given that most SSL certificates are valid for a year or more, but these certificates are automatically renewed without human intervention.
The success of the project can be measured by the number of websites using HTTPS over plain old HTTP. It seems that almost every major website uses HTTPS by default these days.
Who’s Using Let’s Encrypt?
If you check the certificates of the sites you frequently visit, you might be surprised by who’s using free SSL certificates generated by Let’s Encrypt.
Major sites like Mashable and PC Gamer magazine are using Let’s Encrypt.
Those sites have a readership of techies, but it shows the rapid acceptance of Let’s Encrypt and free SSL certificates. Let’s Encrypt jumped into the top 10 certificate authorities in a May 2018 survey by W3Techs.
IdenTrust, which is a cross-signer for Let’s Encrypt, currently occupies the top spot. This shows you how quickly Let’s Encrypt is spreading.
Since a lot of web hosting providers are participating in the project, their free SSL certificates are likely powered by Let’s Encrypt as well.
With Let’s Encrypt, Why Pay For SSL Certificates?
So with free, automatically updated SSL certificates, would you still bother to purchase a certificate?
Since a private SSL certificate is all but mandatory for any website wanting to process credit card payments, it seems that paid private certificates won’t go away any time soon. The financial industry moves more slowly than the tech world. They probably won’t be ready to accept free SSL certificates for a while.
Businesses Still Need Their Own Certificates
Some big companies will probably prefer to buy their own certificates. The cost of a certificate is a drop in the bucket for a Fortune 500 company. IBM, Amazon, and others will likely bask in the glow of credibility that having their own certificates brings.
Landlines and mainframe computers haven’t been completely displaced in the corporate world, and it seems that they’ll be using certificates signed by the likes of DigiCert for a long time.
Private certificates and free SSL projects have different goals. The latter is meant to promote security in general. For big companies, security is meant to protect their business and their credibility.
If you’re handling user data, like logins or payment information, you’re going to want something more robust than a simple Let’s Encrypt certificate.
A lot of providers offer warranties to purchasers of certificates if their sites get hacked.
They and their shareholders expect their IT staff to go the extra mile, and that includes private SSL certificates. EV and OV certificates aren’t going away anytime soon.
Three Great Hosts for SSL
Because SSL is so important to modern websites for security and SEO, web hosting providers worth their salt will make it easy for site owners to incorporate SSL certificates into their sites.
SiteGround is an example of one such hosting provider. They have a free tier based on Let’s Encrypt, but they also have paid options which are marketed to businesses.
These certificates come with warranties in case something bad happens to a site. These have options that should please anyone, ranging from small sites to e-commerce.
If you haven’t noticed yet, SSL is pretty important to e-commerce. If you’re selling stuff over the internet, you might want to consider a host that specializes in e-commerce.
Shopify is one of them. Among other features, they offer free SSL certificates across all their plans.
InMotion Hosting is another hosting provider jumping on the free SSL bandwagon. They offer free certificates across all their web hosting plans.
The downside is that these free certificates must be pointed to InMotion’s servers or they won’t work. If you’re handling customer data, they also recommend that you go with your own certificate over a dedicated IP.
SSL certificates work behind the scenes to enable secure browsing and payment over the web. SSL certificates verify the authenticity of the holder, which is crucial for SEO and e-commerce. Let’s Encrypt is offering free SSL certificates, but many businesses will still need their own certificates.
SSL Certificates Frequently Asked Questions
- How long does an SSL certificate last?
That depends on the certificate authority you have selected to go through and the plan you selected.
Much like purchasing a domain name or hosting packages, most SSL certificate authorities offer a variety of levels and allow you to purchase different timeframes of coverage.
- What is Public Key infrastructure (PKI)?
A PKI is a company or service that manages keys and certificates, allowing website visitors and servers to communicate over a trusted network. The PKI provides a means to verify the identity of the website you are visiting.
- How does a shared SSL certificate compare to a private SSL certificate?
A shared certificate uses your host’s domain name, rather than your own domain name. If you attempt to use your own domain name with your shared certificate, it will generate a warning message when visitors go to your site.
However, as long as you use the shared server name for your account, visitors will not receive the popup message.
This setup is typically used when you don’t need to publicly announce the secure connection, and it not recommended for eCommerce sites, where customers will expect to see your domain listed on the certificate.
Private SSL certificates use your own domain name, so your site visitors will see your domain associated with the certificate, creating a much higher level of trust in your site.
Private certificates are particularly important if you’re asking for secure information such as credit cards.
- What does my browser check for when it connects to an SSL site?
When your browser identifies and SSL site, it will send a request for the SSL Certificate and verify that it has not expired, was issued by a trusted Certificate Authority, and is being used by the website it was issued for.
If any of these checks fail, your browser will display a warning to let you know the site is not secured by SSL.
- What sort of data can be secured using SSL?
SSL is not specific to a certain type of data, but instead uses public key cryptography for authentication and a secret key cryptography with digital signature to send and receive data. Any type of data can be secured from text to images database content.
- What should I do if I lost my SSL password?
It’s essential that you keep the password you used to create your SSL certificate, because this private password is the only way to verify you and your site. If you lose that password, you will need to create a new SSL certificate.
- Can I have more than one SSL certificate per IP address or on a single web server?
In order to do so, your hosting server must support Server Name Indication (SNI).
Until recently multiple SSL certificates could not be installed on a single IP address, so if you had virtual hosts to host multiple domains from a single IP, you could only install one SSL certificate.
With SNI, you can now include the Hostname when passing information on an SSL verification check. Doing so allows a single IP address to support multiple SSL certificates.
Before going this route, make sure to check with your hosting provider to ensure SNI is supported.
- Do all browsers accept SSL?
There’s always an exception, but you should feel pretty confident when you choose SSL, because it covers over 99% of internet users.
SSLis supported by the following popular browsers (among others): Chrome, Firefox, Internet Explorer v5.01 and above, Safari, Opera v7 and above, and Sony PlayStation.
A complete list is too exhaustive to include here, but unless someone is still using their Windows 3.1 machine to go online, their browser probably supports SSL.
- Who developed SSL?
SSL was originally developed by Netscape in the early 1990s; however, it was not until v3.0 was released in 1996 that SSL received general acceptance, after a complete redesign in order to overcome the many security flaws plaguing previous versions.
- Can I allocate only some directories to have SSL certification, or do I have to secure my entire site?
That depends on the setup your server host provides and the software you have installed to host your site.
In most cases, you can designate a sub domain to be used as your secure site, and only enable SSL for that site.
For instance, you can set up a general site, www.cool-site.com, which does not have SSL security protocol in place. When you need to collect information from your visitors, you could send them to your subsite, secure.cool-site.com, where their information would be secure.
- What level encryption do I receive when connecting to an SSL certified site?
That depends on a number of factors.
First, the level of encryption required by the SSL certificate the site has obtained.
Next, the capabilities of the site’s server host.
And lastly, the browser you are using will affect the level of encryption you receive.
Even if the website and server provide strong 256 bit encryption, if you’re using an older browser that can only support 128, you’re information will not receive the same level of encryption as others visiting that same site.
For the strongest encryption level, stick to trusted sites and keep your browser up-to-date.
- How does SSL compare to TLS?
Technically speaking, SSL was the predecessor of TLS.
They work the same way: both require the data to be secured by an appropriate level of encryption, both require a certificate authority (CA) to vouch for the identity of a website, and both rely on a “handshake” between the browser and CA to verify the site.
TLS provides a number of additional security measures that SSL 3.0 did not provide, removing many vulnerabilities in the older standard. However, don’t be dismayed if you’re trying to sign up for TLS protection and can only find CAs that provide SSL.
The two names are used interchangeably, so when you sign up for SSL, you are actually signing up for SSL/TLS.