This is the second of 2 posts I wanted to make about SSL and Certificates. The first post described, in general terms, what SSL is, the role it plays in HTTPS connections, and how certificates are used to bring these parts together.
In this post, I’ll describe the different type of SSL certificates that are used by websites, what the key differences are between them, and how to decide which certificate (if any) you need for your own website.
As mentioned in my earlier post, SSL certificates serve two major functions:
- Certificates allow two computers to have a ‘private’ conversation, using data encryption to make sure that the data shared between them cannot be understood by a third party. This is important for many reasons, one of the most common being for online commerce, where sensitive financial information is being passed between two computers.
- Certificates are used to allow servers to ‘prove’ that they are trustworthy (that they are who they say they are) to other computers. For example, when you have an SSL protected session with your bank, you can inspect the bank’s website’s certificate to decide if you have actually connected to your bank’s server, and not to a bogus one. My first blog post on this topic describes how you can do this.
SSL Certificate Vendors
The main intent of this blog post is to help you decide the type of certificate you should get for your website. So I am going to avoid a lot of technicalities and simply describe the certificate type that are most commonly offered by the major certifying authorities, like Symantec, Commodo and GlobalSign.
When you first start looking around for an SSL, the first impression is that there are a lot of companies offering a wide range of SSL products.
In reality there is a fairly small number of companies in the SSL market. This is largely because it’s not an easy business to start up in – with required annual security audits which must be passed for a firm’s certificates to be trusted by the major web browsers. For example, Symantec – which owns Verisign, Thawte and Geotrust has about 38% market share, with Commodo, Go Daddy and GlobalSign holding more that 50% between them. Although these are all selling what are essentially the same product, there can be some pretty startling price differences. So it’s worth shopping around – once you know what you’re looking for.
SSL Certificate Types
There are actually a relatively small number of SSL ‘types’ although the names given to them vary a bit from one vendor to another. One thing they all have in common is that they provide encrypted connections between two computers. The minimum encryption level is 40-bits, although that low level only happens on a small and outdated set of systems (see the discussion of SGC Certificates below.) In all other cases you’ll get a minimum of 128-bit encryption – and that is very secure.
Domain Validated (DV) SSL Certificates
These certificates are the least vetted of SSL certificates. Before issuing a certificate of this type, the CA verifies that some with control of the domain in question approves the certificate request. This is often done by sending an email to the organization contact for the domain. If the CA receives a positive response (also via email) the certificate is issued. This process is usually automated, and consequently makes these the cheapest of all SSL certificates.
Because the validation is so weak and easily circumvented, this kind of SSL doesn’t really offer much of a guarantee that the website using it is legitimate. Digicert won’t even issue this kind of certificate (http://www.digicert.com/dv-ssl-certificate.htm)
On the other hand, if all you are interested in is having an encrypted connection, then a cheap DV certificate offer just the same level of encryption as the others (with the exception of the SGC certificates.)
Extended Validation (EV) SSL Certificates
In terms of server validation, these are the polar opposite of the DV certificates. In fact, EV certificates came about, in large part, from the ease with which DV certificates can be obtained.
Given that one of the key features of an SSL is to identify the server that’s using it, it’s not very helpful if someone can obtain an SSL with minimal verification or vetting. Fraudulent websites started using DV SSL’s to add the impression of credibility to their websites. Therefore the CA/Browser Forum (an industry group made up of the major SSL and web browser vendors) created a very strict set of guidelines for a much more ‘secure’ SSL (https://cabforum.org/extended-validation/). This is the Extended Validation SSL certificate. An EV SSL is only issued after some thorough vetting and verification of the requesting organisation has been completed.
In order to make servers using EV SSL’s standout, the CA/Browser Forum guidelines include some unique display elements (in supporting browsers) when an EV SSL is in use. Generally speaking, this boils down to some green text in the address bar of the browser:
This makes it easy for users to recognise that they are dealing with a trustworthy server. EV certificates are fast becoming the standard for websites supporting online commerce, such as shopping and banking sites. Because of the high level of trust that these certificates represent, these certificates are increasingly popular.
Wildcard SSL Certificates
Use a wildcard SSL certificate if you want to secure multiple subdomains with a single certificate.
For example, if you own the domain “mybiz.com.au”, a wildcard SSL can secure “www.mybix.com.au”, “support.mybiz.com.au” and “shopping.mybiz.com.au.” However, a wildcard SSL cannot be used to secure different domain, for example “www.mybiz.com.au” and “www.mybiz.net.au.” For that you need to use a SAN certificate (see below.)
Also, wildcard SSL’s cannot be issued under the rules for Extended Validation (EV) certificates, so to protect multiple domains with an EV SSL, you will also need to use SAN.
SAN is an acronym for “Subject Alternative Name.” In the digital certificate world, this boils down to ‘extra’ domain names covered by a single certificate. You might remember that in my description of Wildcard SSLs, I mentioned that “www.mybiz.com.au” and “www.mybiz.net.au” could not be covered by a single wildcard SSL. This is where SAN can help, as it allows both these domains (and many more) to be covered by a single SSL certificate.
EV certificates also support SAN, so this is often the way to go if you want several domains secured by a single EV SSL certificate.
Server Gated Cryptography (SGC) SSL Certificates
Some very old versions of browsers and the Windows operating system can only support 40-bit encryption. A now-repealed US law prevented US companies from exporting software which used encryption higher than 40 bits. All-in-all, this means that there are some old systems out there that support encryption using no more than 40 bits, which isn’t necessarily very secure.
SGC certificates were created to overcome this 40-bit limitation. If a server has an SGC certificate, then it can connect to these old systems using 128-bit encryption. This is great, but in reality the systems in question are very few and far between, and simply using such and old browser (or operation system) is a bigger security risk in itself than the low levels of encryption.
How old are these system we’re talking about?
- Internet Explorer V3.02 up to (but not including) V5.5
- Netscape from V4.02 up to V4.72
- Windows 2000 systems shipped before March 2001, using Internet Explorer and which have not had the High Encryption Service Pack installed.
Given that they are among the most expensive of certificates, I can’t imagine many GI Computer Innovations customers, or anyone else for that matter, who needs an SGC SSL.