What is a Transport Layer Security (TLS) or Secure Socket Layer (SSL) Certificate?
Security certificates are small data files that bind an encryption key to an organization’s details. A certificate gets installed on a web server and creates a secure tunnel between two points, whether that’s connections to databases, other services, or most commonly, a visitor’s web browser. A security certificate activates the padlock and the HTTPS protocol, allowing secure connections from a web server to a browser. There are several types of certificates offering different levels of validation.
Transport Layer Security (TLS) replaced Secure Sockets Layer (SSL) as the actual protocol in use, though the term “SSL” stuck around colloquially and is still widely used even when people technically mean TLS. SSL 3.0 (the last SSL version) was formally deprecated in 2015.
Domain Validation (DV) Certificate
This is considered the most basic level of certificate. The issuing authority simply verifies that the requesting party has control over the domain, usually done via email. Because of this, these certificates are relatively easy to obtain, including by bad actors. In reality, the encryption a DV certificate provides is technically identical to the other certificate types. These certificates are usually available at no charge and, from a pure encryption standpoint, are the same as any other certificate. In years past, a properly installed certificate showed HTTPS and a padlock to indicate that a site was secure. These days, the visual indicator is only shown if a site is not secure.
Organization Validated (OV) Certificate
With this type, the issuing authority is expected to investigate the organization requesting the certificate, typically by contacting the owner to verify the name, address, and location. Some issuing authorities skip this step, making the certificate no better in practice than a Domain Validated one. Bad actors can still obtain these certificates, and the verification process offers limited additional assurance. Because human review is involved, OV certificates typically carry a yearly fee of $100–$300 and must be renewed and reinstalled upon expiration. Most browsers have moved away from displaying the HTTPS and padlock. They usually only show a visual indication if there is a problem with or no security certificate on the site.
Extended Validation (EV) Certificate
Here, the issuing authority validates domain ownership, organization information, location, and the legal existence of the organization. An additional step requires verifying that the organization is aware of and authorized the certificate request. That said, there is still room for bad actors to purchase and validate domain names, giving the appearance of security where there may be none. The actual encryption level is identical to the other certificate types. EV certificates typically cost $300–$500 per year and must be renewed and reinstalled upon expiration. Historically, EV certificates displayed a green bar in the browser’s URL area. Most browsers have moved away from displaying the HTTPS and padlock. They usually only show a visual indication if there is a problem with or no security certificate on the site.
Summary
All three certificate types are technically identical from an encryption standpoint — the difference lies only in how thoroughly the issuing authority verifies the person or organization requesting the certificate. Since end users have no way to know whether that verification was actually performed, the choice of certificate largely comes down to trust signaling. Studies show most visitors simply look for the padlock before submitting data on a website, which means a free DV certificate is usually sufficient for most use cases. That said, if your website or application collects sensitive private information, an EV certificate can lend additional legitimacy for users who are familiar with current web security standards.
