Nowadays, the biggest and the most critical concern in the world of Web business are privacy and security. Without security, there is no customer trust, and without customer trust, a web business won’t be able to go a long way. So let’s talk about SSL.
SSL is an acronym for Secure Sockets Layer – it’s a standardized protocol that provides privacy and confidentiality between two applications communicating using TCP/IP. In other words, it allows sensitive info such as credit card numbers, social security numbers and login credentials to be transmitted securely.
Why do we need SSL? Simple; because data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. The HTTP protocol uses SSL to secure communications between a server and the browser. Without SSL, an attacker is able to intercept all data being sent between a browser and a web server and see and use that information. Your customers won’t trust your website without an SSL certificate.
Statistically, nearly 70% of online shoppers cancel online orders because they don’t trust the transaction. An SSL certificate and a site seal is a must have for a retail website in this age of the web. No SSL = 0 conversions.
Let’s talk about the two main purposes of SSL certificates:
1. It establishes integrity of the communication by checking the identity of the server; the browser verifies that the server’s certificate is valid and being used by a website for which it has been issued by a Certificate Authority that the browser can trust.
2. It provides a cryptographic key of the server – that key is used to encrypt all the data sent between the server and the client preserve and protect the data, making it safe from any unwanted use. That way, all the user’s sensitive data doesn’t get stolen and the user’s privacy is safe.
A SSL certificate is basically like a electronic ID card that are issued to servers by trusted authorities. Just like servers, clients can also have certificates, but unlike a server, a client certificate is not mandatory for SSL communication.
How does the Secure Connection process look like?
When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an SSL connection using a process called an SSL Handshake. It’s invisible to the user and happens instantaneously. Essentially, three keys are used to set up the SSL connection: the public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa. Then the session begins and 5 steps take place:
1. Browser connects to a website secured with a SSL. The server starts identifying itself at the browser’s request.
2. The Server sends a copy of it’s SSL, including the public key.
3. The Browser checks the certificate root. If everything checks out, it creates, encrypts and sends back a symmetric session key using the server’s public key.
4. The Server decrypts the symmetric session key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
5. Server and Browser now encrypt all transmitted data with the session key and the transaction takes place.
There are over 10 types of SSL certificates, but you should focus on the top 3:
- Wild card (shaped) certificate – helps enable SSL encryption on unlimited sub-domains using a single certificate as long as the domains are controlled by the same organization and share the same name
- Multi-domain certificate – MDC makes it possible to secure up to a couple of hundred domains on the same server with a single certificate. This solution is best for businesses that have multiple unique domains on a single server – this is the best choice to save you money and time while securing a high level of trust and security.
- Private certificate – customers purchase their own SSL certificate and have a dedicated IP address on each server for the domain for which the certificate was purchased.
How to choose the right SSL certificate? It depends a lot, based on the organizational and technical concerns, every business is different. There are a few guidelines though:
- if you have numerous custom tabs on your Facebook fan page all on the same domain (*.domain.com), a wild card private certificate is a great choice.
- if you have multiple businesses go for a MDC, because you can share the same certificate with every branch on the tree. an MDC is just as secure as a private certificate. Plus, it is a whole lot cheaper per domain.
- if you’re not on a tight budget and unique non-technical reasons, a private certificate is the way to go.
CDNs go hand in hand with SSL
Establishing a SSL session requires multiple round trip communications between client and server. This can result in a significant performance penalty and a poorer end-user experience. With a CDN, the negotiation between a Server and a Browser is always local to the end-user resulting in no delay. Leveraging a CDN means fast, consistent and secure performance anywhere around the globe. Custom SSL certificates provided by CDNs are often easy to deploy. If you already have a SSL, you can integrate it to a CDN. A lot of CDN providers offer SSL certificates for minimal costs or even for free.
Other than securing privacy and confidentiality, CDNs are also known for keeping websites secure from DDoS and other threats, ensuring the highest levels of customer trust and safety. Combined with fast performance, it’s a must have for the best web experience possible.