SSL Certificates: What, Why, How, and Who?

In my previous article, What is SSL?, I gave an overview of the technology used to secure communications passed back and forth between clients, such as your browser, and servers, such as the ones used to host the web pages you visit. Communication security is important not just for e-commerce sites that may be receiving sensitive information such as credit card numbers, but also for user privacy in general. Websites that use SSL to encrypt traffic are thereby ensuring that information such as user logins and passwords or the contents of private messages cannot be read by a third party while that information is in transit between client and server.

Overview of SSL Certificates

As I discussed in the previous article, browsers and email apps rely on an already existing system of trust before establishing secure communications with a server. Trust here just means authenticity, in the sense that the web server your software is interacting with is actually who it says it is. Certificate Authorities, or CAs for short, are third-party organizations that issue SSL certificates to website owners. Those certificates are cryptographically signed by the CA’s private key, thus preventing them from being forged. When your browser connects to an SSL-enabled website, the web server presents it with its SSL certificate, and the browser then checks that certificate against a list of already trusted CAs. If the certificate was issued by one in the trusted list, your browser will proceed to the website and typically display a padlock, signifying a secure connection and the authenticity of the server, in the address bar. You can inspect the certificate through your browser by clicking on the lock icon in the address bar. The screenshot to the right is for webhostingsun.com in Chrome.

If your browser presents you with a warning about a website’s SSL certificate, the cause could be one of several issues, though it does not necessarily mean that your connection is unencrypted. Causes could be that the SSL certificate has expired, that it was not issued to the domain name in question, that it was installed incorrectly, or that it wasn’t signed by a trusted CA. But it could also mean that your traffic is being hijacked by a man-in-the-middle who has presented your browser with a bogus certificate. In general, you should never ignore these sorts of warnings unless you are absolutely sure what  you are doing. Unfortunately, many users do ignore them, but as education about the importance of security increases over time, those numbers are likely to drop, and a bad certificate could seriously impact the trust of and traffic to a website.

SSL Certificate Types

Clearly, then, SSL certificates are an important part of Internet safety and security. If you are a website owner who is considering getting one, it is important to know about the various certificate types available.

DV SSL

The first, and most common, type of certificate is called a Domain Validation (DV) SSL Certificate. A DV SSL is just one in which the CA has performed the most basic validation check to ensure that you either own or control the domain name that the certificate is to be issued for. This is done by sending a verification email to the administrative contact listed in a domain’s WHOIS information, or by having the owner create an special DNS record that the CA can then look up to verify that you control the domain. Domains with a DV SSL certificate will show a padlock, typically green, in your browser’s address bar.

DV SSLs are typically issued for a single domain, such as webhostingsun.com, but can often be configured to also support www.webhostingsun.com, which is technically a subdomain.

OV SSL

A second type of certificate is known as the Organization Validation (OV) SSL Certificate. OV SSLs require a more rigorous validation process in order to be issued, and are therefore more expensive to purchase and take a bit longer to receive. Ownership of a domain is validated by checking actual organizational credentials, such as verifying the physical address of a business and Articles of Incorporation in government databases. These certificates will contain information stating that they are OV SSLs in the certificate details, such as the one used by Wikipedia shown to the right, but will otherwise show the same green padlock in the address bar as DV SSLs. The purpose of OV SSLs is to establish the fact that not only is the server your browser is communicating with who it says it is, but also that it in facts belongs to the actual organization running the website.

EV SSL

Because most browsers don’t give a visual differentiation in the address bar between DV and OV SSLs, and so don’t clearly show that websites using OV SSLs are the more trustworthy, a third type of SSL was developed. This type is known as the Extended Validation (EV) SSL Certificate, and involves an even more rigorous verification process than OV SSLs. In addition to demonstrating the legal identity and physical location of the organization or business, the authority of the person controlling the website and acting on the organization’s behalf is established, and certain legal documents are signed. Websites with this type of SSL installed will display the name of the legal entity in the browser’s address bar, as in the case of Apple Inc. in the screenshot above. EV SSLs tend to be very expensive, and are generally only used by larger corporations to whom it is imperative that browsers clearly demonstrate that it is them behind the website, and not someone else.

It is important to remember that the purpose of SSL certificates is to establish the identity of the server, organization, or business running the website. They are for the establishing the sort of trust, or authenticity, described earlier. While the verification process increases in difficulty between DV, OV, and EV SSLs, they should not be taken to signify an increasing level of encryption.

The SSL Provider Industry

CAs are often referred to as SSL providers in the web hosting industry, and there are many for you to choose from. Each SSL provider offers one or more of the three basic SSL certificate types described above. Many providers also offer multi-domain certificates and wildcard certificates, which is when an SSL is valid for all of a domain’s subdomains, such as blog.example.com, store.example.com, and so on.

Most SSL providers offer warranties for large sums of money with the SSL certificate that they issue. These warranties are actually for visitors to your website, not for the website owner. Because SSL certificates are intended to certify the identity of the website owner so that visitors can trust that their traffic to the website hasn’t been interfered with, the purpose of such warranties is to cover the cost that a visitor might incur if they transact on a fraudulent site that was incorrectly validated by the provider.

Readers should note that this does not mean that a website with an SSL isn’t doing fraudulent business. It simply means that a CA has validated the identity of the owner in some way, usually by email confirming control of the domain. Warranties are only valid if a visitor lost money on an incorrectly validated site. Because incorrect validations almost never happen, SSL warranties are generally nothing but marketing.

As far as browsers are concerned, a certificate issued by one trusted SSL provider is as valid as one issued by another. But that does not necessarily mean that you should go with the cheapest option available from any random corner of the Internet. CAs are really the weak link in the web security system. If one of them gets compromised, the trust we (or our browsers) place in them is undermined. And it has happened before.

An attacker who has compromised a CA is able to issue fake SSL certificates, which allows them to masquerade as any domain name and present themselves as genuine. Granted, they have to be able to intercept your traffic in order to do this, but that’s not terribly difficult and has, of course, been done before when a fake certificate was issued for *.google.com and used to intercept the traffic of Iranian citizens.

As a rule of thumb, you should buy your SSL certificate from one of the larger, well-known providers, where internal security will be taken more seriously. You should also not choose a provider that is located in a country where its government might compel it to issue false certificates for the purpose of surveillance, something which is almost certainly happening today.