A Beginner’s Guide to SSL Certificates

The security of a website is one aspect of development that should never be taken too lightly.  As more and more of our personal information is stored online, it is important to take steps to make sure this information is kept safe.  While it is impossible to make any web application completely secure or “unhackable,” there are techniques and best practices that should be followed to make your site more difficult to steal information from.

The first step is to use SSL certificates.

When you click a link to go to a website, your browser sends a request to the site.  The site then replies to this request with the data that makes up the page you requested.  The protocol responsible for handling these requests is called the Hypertext Transfer Protocol (HTTP).  HTTP sends these requests through the internet in plain text.  Even the information you fill out on forms such as usernames, email addresses, and passwords are sent without any encryption.  This means that anyone who is paying close enough attention can look at every web page you are viewing, without you even knowing it.  There are several freely available, automated tools for doing this kind of “hacking”.

Secure Socket Layer (SSL) certificates provide a solution to this problem.  Rather then send HTTP requests and responses in plain text, SSL allows them to be encrypted.  This prevents others from seeing the data you send to and receive from a website, and thus helps to keep your information more safe.  SSL uses private and public key cryptography in order to keep encrypted information secret.  Although this topic is very complex, you can essentially think of private and public keys as very strong passwords that depend on each other.  Plain text encrypted and signed using one key can only be validated and decrypted using the other key.

There are several different types of SSL certificates that can be installed into a web application. I've summarized the most common types below:

  • Single Domain: These are standard SSL certificates.  They protect a single domain such as www.buckeyeinteractive.com.  Most likely this is the kind of SSL certificate you will want to use.
  • Multiple Domain: These are standard level certificates that have the ability to protect multiple domains at the same time.  Each domain being protected must be specifically named when requesting the certificate.  This type of SSL certificate could be used to protect up to 100 different domains.
  • Wildcard: This kind of certificate can be used to protect any subdomains of a given domain without the need to list them specifically on the certificate.  This is a good option if you have several subdomains you need protected such as www.example.com, shop.example.com, and mail.example.com.  The certificate would have *.example.com listed on it, which means “anything dot example.com is valid.”
  • Extended Validation Single Domain: Extended Validation (EV) certificates are a more powerful kind of SSL certificate.  In order to acquire an EV certificate, the requesting company (or individual) must go through an identity verification process.   Once complete, they are issued this kind of certificate.  These certificates cause the address bar of the browser to turn green and/or display an “identity verified” notification when the site protected by them is visited.  EV certificates are recommended for e-commerce sites or sites that handle a large amount of personal information.
  • Extended Validation Multiple Domain: These certificates are the same as above, except that they can protect multiple domains.

SSL certificates used to be reserved for only financial related websites such as banks or online stores.  Now, they are used more and more on any site that collects personal information.  If your website is collecting user information, an SSL certificate is a must.