Choosing SSL Certificates

If you operate an eCommerce website or one that stores confidential or sensitive information, you’ll probably want to pay extra attention to the way you protect your users.

In most cases, that includes applying a Secure Socket Layer Certificate (a.k.a. SSL cert or even just “cert”) to encrypt the data as it travels between systems and to provide visual cues to your users that you’re taking steps to protect their data. In this post, I’ll discuss the types of SSL certificates and why you would choose one over another.

All SSL Certificates Have Core Traits

At its core, SSL provides encryption that makes it difficult for intruders to capture data as it moves along the network. It’s likely that your first websites didn’t require SSL; but the minute a social security number, credit card number or similar sensitive data is involved, SSL is a key component of your web security strategy.

Choosing an SLL certificate is not as straightforward as we’d like it to be, though, because there are options that you need to navigate; and there are other issues beyond the simple protection of data that make one choice better than another.

Let’s start with a simple SSL certificate. The browser requests a secure page (which has https:// instead of http://), and when the request comes back, it includes a public key. The browser checks that key to make sure it’s valid and from a trusted party before sending secure data back to the web server. (I’ve dumbed it down for this description; so forgive the lack of other details that are not pertinent to the rest of our discussion.)

Basic Domain Validation SSL Certificates

The simplest of all SSL certs is a Domain Validation (DV) cert. The only thing that it validates is that you own the domain, but not that you are who you say you are. These are typically the least expensive SSL certificates and often provide a lower level of encryption (typically 256-bit to 1024-bit encryption) than more expensive certs. Use them for basic protection where your applications aren’t the type that risk phishing or fraud.

That simple certificate will run on a single domain, and it also indicates to the attentive user that his information is being protected because it shows the https in the URL. GeoTrust QuickSSL and RapidSSL are examples of DV SSL certificates, and are purchased for a specific number of years, with the price increasing based on longer terms.

Organization Validation SSL Certificates

A higher level of security is provided by Organization Validation (OV) SSL certs, because they also validate your business identity and they are encrypted at a higher level (typically 2048-bit). OV SSL certs are more expensive than DV certs and they take several days to get issued, so the certificate authority from who you’re purchasing the cert has time to verify your business before issuing the cert. You’ll need to provide business documents to that authority to get the cert issued.

OV certs are more suitable for shopping cart applications than DV certs, but still don’t provide clear visual clues for your users – although attentive or savvy users will notice https in the URL.

Extended Validation SSL Certificates

Citibank uses an EV SSL cert as signified by the green background on this IE address bar.

That’s where Extended Validation (EV) SSL certs come in. When an EV cert is applied to your web page, the user sees a green background behind the URL in his browser’s address bar, and it will identify the authority that issued the cert. This increases the level of trust of your users and decreases the likelihood of phishing scams or fraud. Some SSL providers also add benefits to EV certs, such as malware scans and warranties.

EV SSL certificates are significantly more pricy than DV or OV certificates – but are worth the extra dollars for high use ecommerce, banking or similar sites where protection is not enough. Use them when you need to ensure that your users know your site is protected. (To show that you’re protected by SSL, you can also prominently display the badges of the issuing authority for any cert, not just EV certs.)

SSL for Multiple Domains

Many organizations need SSL for multiple domains. The easiest way to do this is to purchase an SSL certificate for each domain. That also allows you to choose different types of SSL to meet your needs for each domain separately. Some issuing authorities allow you to purchase a single cert for multiple domains (say 5 or 50). This streamlines the renewal process, but doesn’t allow you to apply different types of SSL for each domain. (Typically at renewal, you’ll need to reapply each cert to your systems. Although not terribly complex, it’s more than a few minute job. So the renewal process simplification could be relevant if you have many domains.)

Wildcard SSL Certificates

Wildcard certificates are a good choice if you have subdomains that you want to protect using SSL. While a standard SSL certificate will protect a domain, it generally cannot be applied to multiple subdomains. You’d need to choose one; or you’d have to buy multiple certificates. A Wildcard domain alleviates that problem. Apply it to the main domain, and it automatically gets applied to the subdomains.

When I was setting up fundraising stores for schools & PTAs around the USA, I needed to be able to protect thousands of different subdomains – because each school was to have its own store, and we were setting each store up as a subdomain of the main URL. We couldn’t use a multiple domain cert, because we didn’t know what the subdomains would be until each school registered its own store in our system. So we used a wildcard cert on our main domain. Each time a new subdomain was registered by a school or PTA, the domain automatically inherited SSL protection from the main domain. This saved a lot of cost, and simplified our ongoing activities.

Summing It Up

SSL is a useful, and often required, technology for your website. When it’s time to purchase and apply your SSL certificate, make your choice of certificate based on the following factors, as described above: