Recently, the share of valid SSL certificates in various domain zones tends to grow, as does the general interest in SSL technologies. Nevertheless, not all have realized what they are dealing with when they hear this word. Therefore, we will still try to understand what it means, and we will help you choose exactly the certificate that is needed specifically for your project (and is it needed at all).
For secure data transfer between the user's browser and the server, the key infrastructure is used, which allows you to encrypt the transmitted information using a public key (known to all) and decrypt it using a private key (known only to its owner), which is called asymmetric encryption. This infrastructure itself is subject to the international standard x.509, which determines the composition of the electronic certificate:
- certificate version number (1-3);
- serial number;
- signature algorithm identifier;
- the name of the organization that issued the certificate;
- certificate validity period;
- the name of the certificate holder;
- certificate holder's public key;
- digital signature.
The x.509 standard does not provide for a specific encryption algorithm, but the most common is RSA, which is what is used in SSL certificates.
Before choosing a certificate, it would be nice to find out why they are needed and what functions they perform.
Any SSL certificate performs three important functions at once:
- encryption of transmitted information;
- resource authentication (authentication);
- ensuring the integrity of the transmitted information.
Thus, the user is shown that the web resource to which the certificate is connected can be trusted.To understand how these three SSL certificate functions work, consider a simple example. The girl Anya needs to buy a plane ticket through the airline's website, and for this, send her credit card details. To be sure that her data will not be intercepted by third parties, Anya checks the availability of the SSL certificate on the website of the selected airline company. This is simple: it is enough to make sure that at the beginning of the address bar there is a designation of the https connection, which is usually highlighted in green. It confirms that the data between the user's browser and the company's server is encrypted. In this case, the airline has two keys: open, which is accessible to everyone, and closed, which only she knows. A message encrypted with a public key can only be decrypted using a private key, and an encrypted private key can be used with a public key. If the SSL certificate of the company chosen by our traveler was issued by a valid certification center, Ani's browser recognizes it as trusted (authentication) and encrypts its data using the public key. Even if the attacker intercepts the information transmitted by Anya, he will not be able to read it, since he does not have the private key to decrypt it.
Self-signed SSL Certificates
Obtaining an SSL certificate is, of course, costing money, while it is valid for a limited amount of time. Therefore, many people use so-called self-signed SSL certificates. You can generate them using the hosting control panel directly on the web server, and you can do it for free. However, it is not always advisable to use a self-signed certificate.
Any browser checks whether a certificate was issued by a certificate authority known to it, and if not (and this is the case of a self-signed certificate), it gives an error and displays a large sign saying “The site's security certificate is not trusted!”.
Such a message will certainly scare a potential client from the resource, and he will want to leave him, and the site owner, in turn, will lose a significant part of his audience. So, if we are talking about sites with high traffic or online stores, the use of self-signed SSL certificates is not recommended.
Such dangers lie in wait for anyone who does not care about a secure https connection. Nevertheless, self-signed certificates are quite suitable for internal use: for example, inside a small organization, whose employees added a certificate to trusted ones, since they know its origin. They are also suitable when using the Apache server when developing and testing applications.
Security Vulnerabilities with SSL Certificates
Speaking about the purchase of an SSL certificate, it is important to understand that in itself it is not a magic wand, while waving it you immediately relieve yourself of all the problems associated with the security of the site. No matter how complex the cryptographic encryption mechanisms are, the ultimate authority in the SSL-certificate infrastructure is still people, and, therefore, all issues of trust rest on the human factor. So, in September 2015, Symantec, by mistake of its employees, issued 164 illegitimate certificates for 76 domain names. Another delicate moment using SSL certificates is storing the secret key: you cannot hide it in the safe, isolating it from the outside world, because it is often used in the HTTPS connection process, and there is a possibility of hacking the server to intercept the private key. The culprit for hacking can again be a person - the server administrator who could not for some reason protect the server. Therefore, owners of private keys often set passwords on them.
Kinds of SSL Certificates
If you decide to purchase an SSL certificate from one of the certification authorities, then you should find out what their variants exist. At first glance, it is quite difficult to choose an SSL certificate from among the many that are represented on the market today: the price difference can reach 100,000 rubles, and it is not always clear which of the possibilities of a particular certificate your project really needs. However, you can understand this using the four main criteria that should be considered when purchasing an SSL certificate:
- the desired degree of trust in the resource;
- the number of domains and subdomains for which the certificate is purchased;
- type of subject acquiring certificate: physical or legal person;
- The size of financial opportunities for the acquisition of the certificate
We will understand first with the first item.
The validity of your resource can be confirmed by three different degrees of its verification. Accordingly, there are three different types of SSL certificate that differ in the type of validation:
- certificates confirming domain ownership (Domain Validation);
- certificates confirming, besides the domain, the legal existence of the organization (Organization Validation);
- certificates with Extended Validation.
DV certificates confirm only the fact that the certificate holder really owns this domain and is the most accessible type of SSL certificate. These certificates are best suited for forums and small sites or blogs with not very many visitors.
SSL certificate of this level:
- provides only the initial level of protection;
- available to individuals and legal entities;
- does not require the provision of additional documents;
- Available in 5-10 minutes;
- will cost about 1-4 thousand rubles per year.
OV-certificate confirms the business status of the organization and causes much more user confidence than the DV-certificate. This type of certificate is well suited for an online store and another small online business.
Certificate of protection level OV:
- provides an average level of protection;
- issued only to legal entities;
- for registration, you must provide copies of documents of the organization, the telephone company’s account with the specified name of the organization and the phone number of its owner
- Available in 1-5 days;
- will cost from about 4,000 rubles to 50,000 rubles a year.
Advanced SSL certificates are the most reliable, but also the most expensive. Well suited for a large and serious organization for which prestige and security are important.
EV Level Certificate:
- Offers the highest level of security and the highest level of trust among other SSL certificates.
- issued only to legal entities;
- the following additional documents are required for registration: a tax registration certificate, a notice of registration of a legal entity, a notice of registration as an insurer, and others;
- supports Cyrillic domains;
- Available in 3-10 days.
- will cost from about 10,000 to 100,000 rubles per year.
After the documentary check, the provider can also call the organization’s declared telephone number, thereby completing the additional check step. But after going through all this workflow, your site will have the highest level of trust, as indicated by the green socket with the name of the company in the address bar. According to it, users will be able to determine the high business status of the company, and when you click on the panel, find out complete information about the organization. Certificates of this type serve as an excellent protection against phishing: due to strict verification requirements, attackers will not be able to pass all stages of verification, with the result that “fake” EV certificates are found in extremely rare cases.
You ask what certificate to choose? It all depends on the focus of your site and your budget. It is also useful to see which SSL certificates your partners, competitors or larger sites use. For example, a well-known service for booking hotels ostrovok.ru uses PositiveSSL Wildcard certificate from Comodo; The popular wildberries.ru online store uses the SGC OV SSL Wildcard certificate of maximum security. The Tinkoff.ru website uses an EV certificate SSL certificate from the Thawte registration center.
We recommend that users carefully check the name of the company, as fraudsters can create a “phony” organization with a similar name and bind an SSL certificate to it.
What to do if you need to protect multiple subdomains or different domains on the same server?
In this case, you will need to purchase a SAN (UCC) certificate, which is perfect for multi-domain projects and MS Exchange products. Wildcard certificates exist to protect only a few subdomains. By purchasing such a certificate, you provide encryption not only for the main domain, but also for an unlimited number of subdomains of the subdomain1.domain.com, subdomain2.domain.com, etc. types. However, not all providers issue Wildcard-certificates with the protection of the main domain, so before ordering it is worth paying special attention to this. Although the main advantages of a Wildcard certificate are convenience and savings (you do not need to take care of the certificate for each subdomain and pay for it), however, it is sometimes cheaper to still purchase separate SSL certificates for each subdomain, especially if there are not too many of them.
Let's make a small comparison of major SSL service providers: Symantec, Thawte, and Comodo. Despite the fact that, in fact, all companies sell almost the same product, there are significant differences in service. Symantec has the largest extended warranty, reaching 1,750,000 dollars. This amount will be paid in damages if Symantec violates the terms of the warranty. Also, the company has antivirus protection, which performs daily scanning of pages on your host in order to detect malware. But, it is worth noting that they ask a lot for this functionality - Symantec has the most expensive certificates from all 3 centers presented. Comodo has the most affordable certificates, which also offer antivirus scanning and PCI analysis services. Thawte does not offer any additional features and has an average of all the price for an SSL certificate.
I would like to note that today the majority of site owners acquire SSL-certificates immediately from hosting providers. Despite the fact that they are, in fact, intermediaries, the price of certificates, at the expense of large sales volumes, may be even lower than that of the certification center itself!
It is important to note that not all certificates support IDN (Internationalized Domain Names). You can choose a certificate with an ideal price-quality ratio, but if you purchase it for a Cyrillic domain, it’s not at all a fact that it will suit you. IDN-enabled SSL certificates can be purchased from companies such as GlobalSign, Thawte, Comodo, or Symantec.
When choosing a SSL certificate, note which certificates your competitors have chosen and just companies with an identical product, number of audience and a way to exchange information with it. Also note that a nice bonus to buying an SSL certificate will be the fact that sites with an HTTPS connection are ranked above the rest of Google. In addition, as Google recently reported, all sites without SSL certificates and accepting passwords and credit card numbers will be placed on Google Chrome as unsafe. This is another reason to think about acquiring an SSL certificate, especially since today an HTTPS connection is much more accessible to users than a few years ago, and some companies offer profitable promotions and even give certificates as a bonus.