Secure Sockets Layer (SSL) is a protocol ensuring that all data passed between the web server and browser remain private and secure.
The SSL security protocol provides
- Protection against manipulation and access by unauthorized parties
- Digitally signed transmitted data
- Secure credit card transactions, data transmissions, logins etc.
- Authentication of the company and/or domain
How do SSL certificates work?
When a browser accesses a web site secured by SSL:
- The browser will try to establish a connection to the SSL-secured website
- The browser sends an identity request to the web server (Handshake)
- The server sends a copy of its SSL certificate to the browser
- The browser verifies the authenticity of the SSL certificates. If the certificate is trustworthy the browser will send a message to the server
- The server sends back a digitally signed acknowledgement to start an SSL encrypted session
- Encrypted data is shared between the browser and the server
Encryption protects the data during transmission
Web servers and browser use the SSL protocol in order to create a uniquely encrypted channel for a secure data transmission over the Internet. Each SSL certificate consists of a key pair as well as verified identification information. The public key will encrypt any sensitive data while the private key decodes the encryptetd data. When a browser accesses a secured domain a particular encryption strength will be determined depending on the used SSL certificate, browser and operating system. Therefore SSL certificates provide various encryption strengths up to 256-bit. Strong encryption, at 128-bits, can calculate 288 times as many combinations as 40-bit encryption. That is a billion times stronger. At current computing speeds a hacker using "brute force" would require a billion years to break into a session protected by an SGC-enabled certificate. To enable strong encryption for the most site visitors, choose an SSL Certificate that enables 128-bit minimum encryption for 99.9% of website visitors.
Credentials for establishing an online identity
An online identity can commonly be established with: an ID card, a driver's license, a passport, or a company badge. SSL certificates are credentials used for establishing identity online. They are issued individually to a specific domain and web server and authenticated by the SSL certificate provider (Certification Authority). When a browser connects to a web server the web server sends the identification information to the browser.
To view a website's identity information:
- Click on the closed padlock in the browser window
- Click on the trust seal (e.g. the Norton Secured Seal)
- Look at the green address bar activated by an Extended Validation (EV) SSL certificate
Authentication generates trust
Trust of a credential depends on confidence in the issuer since the issuer vouches for the authenticity. Certificate authorities use different authentication methods in order to verify information provided by organizations. The leading Certificate Authority Symantec is well known for its outstanding reputation. It is trusted by browser vendors due to stringent authentication methods and it's highly reliable infrastructure. Browsers transfer that trust to SSL certificates issued by Symantec.
Who needs SSL?
Any individual who wants to transfer data securely over the internet needs SSL certificates. SSL certificates do not just secure credit card transactions but should be used for all types of transactions and sensitive data transferred online. SSL certificates:
- Secure online credit card transactions
- Secure contact forms and login routines
- Secure the email connection between Microsoft Outlook, MS Lync Server (former Communications Server) and Microsoft Exchange
- Secure Intranet-based traffic such as intranets, extranets, database connections and Microsoft Share Point
- Secure communication on cloud-based platforms and virtualized applications
- Secure the transfer of files over https and FTP services
- Secure login data for hosting control panels such as Parallels and cPanels
- Secure information transferred via mobile devices
Types of SSL certificates
Due to numerous cloned websites, SSL certificates are essential to ensure users that they are accessing an authentic website. SSL certificates issued by a trusted certificate authority verify a website's identity by utilizing a specific validation process. Since the validation process depends on the respective SSL certificate and the given Certification Authority there are large quality differences in SSL certificates. Due to the exponential increase in phishing over the last few years, as well as other fraudulent websites trying to steal sensitive user information, the authentication strength of SSL certificates and the Certification Authority's authentication process has become more and more important. Our brands includes three approved SSL authentication categories: Extended Validation (EV), Organization Validation (OV) and Domain Validation (DV).
Extended Validation (EV)
SSL certificates with Extended Validation (EV) are the most advanced, valued, and secure SSL certificates. Extended Validation ensures the highest standard possible to authenticate an applicant and the applicant's company. The validation criteria are determined by the CA/Browser forum. Their compliance is watched and controlled regularly by the auditing association KMPG. SSL certificates with Extended Validation activate the green address bar in the browser's window, show the company's name, and the name of the Certification Authority. When using a SSL certificate with Extended Validation the Certificate Authority verifies the domain ownership as well as the usage rights. In addition, the Certification Authority also verifies an organization's legal form and the applicant's right to request a certificate in the organization's name. The benefit of Extended Validation means higher security and trust, to increase sales.
- Validates domain ownership
- Shows the padlock in the browser window and the green address bar
- Authenticates the respective company
- Receives proof of legitimacy of the request
- Shows the company's information in the certificate
- Shows the company's name and the name of the certification authority in the browser window
Who needs Extended Validation (EV)
An SSL certificate with Extended Validation (EV) provides effective protection agains phishing, safeguarding a business and it's customers, allowing for furture business development and an increase in sales. Users are more likely to give away sensitive information online, such as credit card information, when they see a website is secured with both an SSL certificate with Extended Validation and the green address bar. Websites that benefit the most from Extended Validation include:
- eCommerce web sites that store and process credit card information
- Websites facing intense retail competition with the trust of customers as well as brand protection as first priority.
- Websites that request and process personal data
- Websites with registration forms for customers and employees
- Websites provideing payment transactions via third-party suppliers (e.g. PayPal)
The Green Address Bar generates trust
SSL certificates with Extended Validation (EV) ensure users that they access a secured website and their information is in good hands. When using an SSL certificate with Extended Validation, the company's name will be shown in an address bar as well as the name of the Certification Authority. The Certification Authority implements an extensive validation process. Also due to the striking representation of security (e.g. green address bar and company name) it makes it nearly impossible for hackers to abuse the website operator's valuable brand for attacks (e.g. phishing).
Organization Validation (OV)
A weaker and less extensive validation method is the basic organization validation. Until just a few years ago, Organization Validation was the highest level of validation, validating domain ownership, the usage rights as well as the organizational information given in the certificate (e.g. name, city and country). In comparison to SSL certificates with Extended Validation the basic organization validation does not provide the green address bar or reveal the name of the company.
Domain Validation (DV)
Domain validated SSL certificates provide the lowest level of validation available. Domain Validation verifies that the domain is registered and that a contact at the domain in question approves the certificate request.
- Validates the control of the domain
- Shows the padlock in the browser
SAN-enabled SSL certificates
SSL certificates supporting the so-called Subject Alternative Names (SAN) secure multiple domain names with just a single SSL certificate both efficiently and inexpensively. SAN-enabled certificates are often called Unified Communications (UC) and are used to secure Microsoft Exchange Servers or Microsoft Communications Servers.
SAN provides a Subject Alternative Name Field which makes it possible to secure multiple domain names with a single certificate. Instead of purchasing and managing individual certificates for each domain name you can add domain names to the SAN Fields. Only one certificate is effective for all used domain names. As an example with just one single SAN certificate the following domains can be secured:
SAN-enabled certificates are available via CertCenter AG issued by Symantec, Thawte and GeoTrust.
Benefits of SAN-enabled SSL certificates
- Reduction of administration and handling costs due to protection of multiple domains and hostnames with a single certificate
- Simplified installation and administration of the certificate with a single certificate for multiple domains (even for diverse subdomains)
- Maximum flexibility due to protection of Web-, SMTP, POP/IMAP-, and other UC servers including Microsoft Exchange Server 2007, Microsoft Exchange Server 2010 and Microsoft Office Communications Server 2007
- Completion of the UC requirements for Microsoft Exchange and Lync Server (former Communications Server)
- Risk reduction (in comparison to wildcard certificates) due to the usage of specific hostnames and exclusion of unauthorized certificate requests