This guide to SSL reviews SSL encryption in general, the types of SSL certificates available today and offers insights on how to determine the best SSL for your organization.
SSL and its successor, Transport Security Layer (TLS), are security protocols used to create an encrypted link between a server and a client on the Internet, typically between a Web server and a Web browser. They are also used between e-mail servers and their clients. An encrypted link protects data being transmitted between a server and a client, such as login credentials and credit card numbers, from eavesdropping, man-in-the-middle attacks and similar threats.
Although the tools that create encrypted links are still referred to as SSL encryption tools, SSL and early versions of TLS are no longer considered secure owing to significant vulnerabilities. The best SSL approach is really one that employs TLS 1.2 (or higher), which is now the standard technology in use to create secure encrypted links.
How SSL works
To create a secure connection, the server and browser need an SSL certificate issued by a certificate authority (CA) to some organization. The CA is a trusted third party, where its certificate verifies that an organization‘s identity has been authenticated. (Even though anyone can create a certificate, Web browsers inspect their list of trusted CAs when presented with a certificate; to avoid security-related error messages, certificates must come from trusted CAs.) An SSL certificate contains the organization’s name, domain name, physical address and expiration date of the certificate, as well as information about the CA itself.
To begin the process, an administrator must activate SSL/TLS on a Web server, create a Certificate Signing Request (CSR) file and fill out organizational information needed for the certificate. At that time, the server creates two cryptographic keys—a private key and a public key. The public key is included in the CSR file, which ties the organization’s information to the key, and the administrator then sends the complete file to the CA. The CA validates the information in the file and issues the SSL certificate, and the receiving Web server compares the certificate to the private key. (The CA never has access to the private key; it remains with the organization requesting an SSL certificate at all times.)
It’s important to note that—for the highest level of security—organizations should use 2048-bit private keys, at a minimum: Smaller bit-count keys have been cracked. Many organizations today do opt for 4096-bit keys, but be aware that some smart cards and card readers don’t yet support keys larger than 2048 bits.
Using an SSL certificate creates a trust relationship between a server and a browser. The process of creating that trust involves exchanging identity information, an SSL certificate and keys, which is referred to as the SSL handshake. When a Web browser requests a connection to a secure page on a Web server (by entering the address in the browser’s address field), the server sends a copy of the SSL certificate and public key to the browser. This step identifies the server to the browser. The browser then checks that certificate against its list of trusted CAs to verify the certificate is from a trusted party, that the certificate is valid (has not expired) and that the certificate is being used by the website for which it was issued. If the browser trusts the certificate, it sends a message back to the Web server. The server returns an acknowledgement to start the SSL-encrypted session, which means the user can then safely send confidential information across the connection to the server.
The Web browser indicates to the user that the website connection is encrypted and secure by displaying a padlock symbol in the browser and by using https in the address field. A green address bar indicates an Extended Validation SSL certificate, which is described in the next section. Some websites also display a security seal (logo) from the CA.
Organizations have a lot of options to consider when buying SSL. To determine the best SSL, they must first choose a reliable certificate provider. Some of the top commercial providers include Comodo, Symantec, Thawte, DigiCert, Entrust, GoDaddy, GlobalSign, Verizon, Trustwave and GeoTrust, but there are many others. Using a reliable CA helps ensure that an organization’s private key and SSL certificate will work properly to protect data transmitted between a client and server. Also, when a user visits a website and sees an SSL seal from a well-known entity, he or she may associate brand reputation with safety.
Three common types of certificates are single-name SSL certificates, wildcard certificates and multi-domain certificates. Single-name certificates apply to a single domain or server and are ideal for organizations with only one domain or website to protect. Wildcard certificates apply to a domain and its first-level subdomains. Multi-domain certificates enable an organization to secure several domains and sites with a single certificate. Selecting the right type of certificate depends entirely on an organization’s Web environment.
Validation is a different story. During validation, a CA verifies an applicant’s information before issuing an SSL certificate. Typical validation levels are Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV). DV certificates are simply checked against the domain registry and, therefore, cannot provide assurance that a website is legitimate. For this reason, DV certificates are not recommend for commercial use. OV certificates indicate that an organization has been authenticated and is legitimate. EV certificates offer the highest level of website validation and identity assurance. With EV SSL certificates, CAs perform the most thorough check of information, including legal and operational history, identity verification, domain control and much more. This type of SSL certificate is generally more expensive than DV and OV and is used by most leading organizations.
To choose the best SSL, look for significant certificate strength. Select a provider that offers 128-bit protection at a minimum. Today, 40-bit strength is considered weak and 112-bit ciphers, like 3DES, can be slow and are no longer in widespread use. Ideally, 256-bit protection of better is preferable as each doubling of strength confers serious additional protection against most kinds of attack (dictionary, hashing, brute force and so forth).
Vet companies on their customer support and warranties. Implementing the best SSL is easier today than it was years ago, but it still must be installed and managed properly to be effective. Find out if the providers on your short list provide 24/7 coverage and whether extended (for-a-fee) support is needed for priority escalation. A warranty guarantees that a certificate provider will reimburse an organization’s customers should those customers fall victim to fraudulent activity owing to an improperly issued SSL certificate.
The bottom line
Any website that collects or transmits sensitive information must be protected by the best SSL possible. Failing to do so can result in lawsuits and possible penalties should visitor data be compromised. Likewise, reputation damage can greatly impact future business. Regulations such as the Health Insurance Portability and Accountability Act and the Payment Card Industry Security Standards Council (PCI SSC) require at least TLS v1.0, but even membership, news and blog sites should use SSL certificates to protect their data. (PCI SSC requires payment card processors and third-party entities to migrate from SSL and TLS 1.0 to a secure version of TLS by June 30, 2018.)
How new TLS versions improve CA security
Discover how one-way Certificate Transparency can improve your security posture
How Google amped up its certificate security efforts