Secure Sockets Layer (SSL) certificates are what cause your browser to display a padlock icon, indicating that your connection to a websites is secure. Although the padlock may soon be hidden from view, certificates aren't going anywhere.
Let's start with some definitions and explain some of the terminology.
On a strictly technical level, SSL was actually superseded by Transport Layer Security (TLS) many years ago, but the name has stuck around. So, in this article we'll use SSL to refer to the entire SSL/TLS family of protocols.
SSL is a security technology for establishing an encrypted link between a server and a client, such as a website and a browser, or a pair of email servers. An SSL certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection.
What is the purpose of SSL certificates?
SSL certificates serve two important purposes:
- Authentication. It authenticates the identity of the computer you are talking to.
- Privacy. It ensures that a connection between two computers is encrypted.
On the web, SSL makes a connection to a website more trustworthy: You are talking to the website identified in the certificate, and nobody is listening in or tampering with the communication between you. This is particularly important when you are exchanging private information like credit card details or passwords.
It does not make the website more trustworthy though, only the communication between it and you. Not every website that has an SSL certificate can be trusted. Evil websites, like phishing sites, can have SSL certificates and you can establish safe, trustworthy connections to evil sites using SSL!
Despite lots of (now outdated) advice, SSL certificates and padlocks should not be used as an indicator that a website is "safe". Equally, if a website does not have a certificate, that does not mean it cannot be trusted.
How do SSL certificates work?
SSL encryption is possible because of the public-private key pairing that SSL certificates facilitate. A website visitor’s browser gets the public key necessary to open an encrypted connection from a server's SSL certificate. The public key is not secret and anyone can see it, so it doesn't matter if it's intercepted. Anyone with the public key can use it to encrypt a message, but only the corresponding private key on the server can decrypt it.
Depending on the type of certificate it also provides a visitor with information about the holder of the certificate:
- The domain name the certificate is valid for
- Information about the holder of the certificate
- Which certificate authority issued the certificate
- Issue and expiration date of the certificate
- The public key needed for the encryption
SSL certificates are generally divided into three types:
- Domain Validated (DV) Certificates. DV certificates assert a link between a certificate and a domain. Projects like Let's Encrypt, which provides free certificates and automates the process of creating and installing them, rely on domain validation.
- Organization Validated (OV) Certificates. OV certificates assert a link between a certificate and an organization. The body issuing the certificate must validate the legal and physical existence of the organization.
- Extended Validated (EV) Certificates. EV certificates assert a link between a certificate and an organization using a more thorough vetting process than OV certificates.
Where do you get SSL certificates?
SSL certificates are issued by a Certificate Authority (CA). Most browsers will accept certificates issued by hundreds of different CAs.
If you are looking for a certificate for your website, one option is to contact your hosting provider. They will usually be able to point you in the right direction, and will probably be able to provide one. Mention what type of certificate you are looking for since that is important information to start on your quest. Alternatively, you can automate the process of certificate creation and installation using services like Let's Encrypt.
Is an SSL certificate necessary for a website?
The majority of the web is now encrypted, making sites without SSL the exception. SSL protects private data in transit, such as credit card details. Even when it isn't protecting sensitive data, it stops attacks that might send you to fake websites, and prevents criminals injecting adds or malware into your traffic.
If that isn't enough for you, there are other reasons to use SSL too.
Aside from securing your traffic, having an SSL certificate also helps your website's search engine rankings. The current Google algorithm rewards sites with SSL by giving them higher rankings (or, better put, it punishes sites that do not use SSL).
SSL also makes a site look more professional and secure. Depending on the visitor’s browser, sites without an SSL certificate may trigger a warning that the site is not secure.
An increasing number of browser features require SSL to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS, which relies on SSL. Which makes sense, because you are providing sensitive information to such sites. It poses a security risk if those features could be tampered with by a person-in-the-middle, or other network interference or impersonation.