What is an Secure Socket Layer (SSL) Certificate?
SSL Certificates are small data files that link an encryption key to an organization’s details. An SSL certificate gets installed on a web server and creates a secure tunnel between two points. Those points could be connections to databases, other services, but mostly visitor web browsers. An SSL Certificate activates the padlock and the https protocol and allows secure connections from a web server to a browser. There are several types of SSL Certificates offering different levels of security.
Domain Validation Certificate
This is considered by some to be the least secure certificate. The issuing authority simply verifies that the requesting party has control over the organization’s domain. This verification is usually done by Email, which is what can make it questionable. Therefore, theoretically, these types of SSL certificates are easier to obtain, including for bad actors. In reality, the certificate itself creates a secure connection that is equal to the other certificate types. These certificates are usually provided at no charge and if you know the issuing authority, they are the same as any other certificate. A properly installed certificate will show https and the padlock symbol in the URL box of a web browser.
Organization Validated Certificates
The issuing authority of this type of certificate is supposed to investigate the organization requesting the certificate. This is usually done simply by contacting the owner of the organization and verifying the name, address and location. Some issuing authorities tend to skip over this step making this no better than a Domain Validated Certificate. Once again, bad actors can easily obtain these certificates; however, the encryption is the same as the other certificates and the verification process is so little that they offer no more assurance than a Domain Validated Certificate. Technically, although not in all cases, humans are involved in the verification process so this type of certificate usually carries a $100 to $300 yearly fee and the certificate must be renewed and installed again upon expiration. This certificate will show https and the padlock symbol in the URL box of a web browser.
Extended Validation Certificate
In this instance the issuing agent validates ownership, organization information and location and the legal existence of the organization. An additional step requires that the issuing agency verify that the organization making the request for a certificate, is indeed aware of said request. Once again, there is a lot of room for bad actors to purchase domain names and have them validated giving the appearance that a website is secure, when, in fact, it is not. The actual encryption level is exactly the same as the other certificate types and offers the same technical level of security. The cost for an Extended Validation Certificate usually runs between $300 and $500 per year and must be renewed and installed again upon expiration. An Extended Validation Certificate will show https, the padlock and a green bar in the URL area. The green bar is supposed to indicate to the visitor that the site has the maximum security available; however, most visitors are unaware of the green bar and what it stands for.
All three SSL certificates are exactly the same, from an encryption and technical standpoint, except for the level of verification used to try and research the company or individual requesting the certificate. Since an end user has no way to determine if the issuing agency actually did any verification, the type of SSL certificate that is chosen comes down to basic marketing. Studies show that most visitors simply look for the padlock prior to submitting data on a website. With that in mind, all three certificates serve that purpose and a free certificate usually is sufficient. On the other hand, if the website or application is collecting any type of private information that needs to be secured and encrypted, an Extended Validation Certificate will lend to the legitimacy of the website for those users familiar with current web site security standards.