Choosing An SSL Certificate

Which one is right for you? 

You have invested your time and money and worked hard to build the perfect website that clearly reflects the amazing features of all of your products. You are finally ready to launch but, you also want to ensure that when your clients go to buy one of your products, their transactions are safe and secure. You may be thinking to yourself… 

• What is the best way to secure those transactions? 
• How do I go about protecting the communication between my clients and the server during the sales process?
• Can an SSL secure my entire site?
• Which company or brand should I use?

Navigating the world of SSL’s can be daunting at best. There are a significant number of providers and a myriad of SSL options to choose from to improve your site security. Here are some of the main considerations you should take into account prior to purchasing and setting up an SSL.  

What is an SSL?

An SSL (or Secure Sockets Layer) Certificate, is a small file that digitally ties a cryptographic data file/key to a website in order to prove its validity.

HTTP vs. HTTPS

If a web site’s URL (in the browser’s address bar) begins with HTTPS, this indicates that the information that is being transferred back and forth is encrypted. If by chance a malicious actor was monitoring or intercepted your traffic in some way, they would not be able to read or utilize it at all. HTTPS and SSL go hand in hand as these features work together to not only safeguard the traffic between your client’s browser and the website, it also ensures the website they are visiting has been validated as being authenticated to the domain they are visiting.

What type of connections can an SSL secure?

SSL connections secure the transfer of data between a client and a website

• Credit card purchases from sites that offer online sales
• Banks, credit unions or other websites that deal with financial transactions
• Connections to a web or email server
• File transfers (SFTP) from your computer to a server
• Online application login (to a control panel or other password protected sites)

What level of protection do you need?    

There are a variety of SSL Certificates types that range in cost from no cost, to thousands of dollars annually. To simplify things, we will limit our choices to the following categories.     

• Extended Validation SSL  (or EV SSL)
• Organizational Validation SSL (or OV SSL)
• Domain Validated SSL’s
• Wildcard and Multi-Domain SSL’s

EV SSL   

The EV in EV SSL stands for extended validation and, as far as certificates go, these are the premium option for security and protection. This premier status does not come without a significant expenditure though; pricing for an EV SSL can range from less than $100.00 to upward of $800.00 per year in some cases for just the base certificate!  

Adding subdomains and/or addon domains can be billed at an additional cost which can increase the cost even further. The reason for this increased pricing is simple; the vetting and verification process the domain goes through in order to earn this seal of approval is significantly more intense than other types of SSL’s, hence the higher price. 

What sets these authoritative certificates apart, is the actual verification process your company will go through to obtain an EV SSL. The company issuing this authority will check to see if you meet the following criteria:

• Legal Existence and Identity of the company
• Trade/Assumed Name (the site name if different from the Company) 
• Verification of Operational Existence 
• Verification of Physical Existence 
• Verification of Domain Ownership (via a whois lookup)
• Verification of the name, title, authority, and signature (of the person(s) involved in requesting the certificate and, agreeing to the terms and conditions.)

Only after all of these criteria are met, will the certificate is issued. The advantages of an EV SSL is, you will have a widely recognized and trusted certificate that gives the users a higher level of assurance while using the services your site offers. 

OV SSL

The second type of SSL that may be used to secure a site is called an OV (organizational validated) SSL. These certificates can be a bit tricky to understand because they have multiple options available. The certificates are designed to work for a large organization that may have more than one website, domain or even multiple subdomains.  

As an example, an SSL provider may sell you an OV certificate for a single domain. If other related domains need to be covered under the OV SSL, the provider will treat additional domains/subdomains as add ons, which may increase the base cost. Let’s say you own the domain example.com, and you also want to cover shop.eample.com as well as mail.example.com and in addition, your international site example.co.uk; OV SSL’s will cover these domains as well as any related IP addresses. The resulting validation of this SSL is a green padlock in the browser address bar. 

The OV SSL will also include the Organizational details of the certificate noted within the CA (Certificate Authority) bundle. One of the drawbacks of the OV SSL is the cost of the additional addon domains that oftentimes need to be included. Additional domains prices may vary by provider and as this is an annual cost, you may need to budget additional funds to keep this certificate above the budget for all but the most hearty of organizations.

Standard Domain Validated SSL

The final type of certificate is the Domain Validated certificate. These are the basic SSL’s and can range in cost from free and up to about $50.00 or so. These certificates provide basic SSL coverage and will usually be enough for most, if not all eCommerce sites. 

There are 2 types of DV SSL’s:

• Those issued by a certifying authority (CA) such as GlobalSign or Digicert 
• Those SSL’s issued by a provider like cPanel (a comparable authority) that uses both Let’s Encrypt and AutoSSL (powered by Sectigo) 

On the surface, these certificates are identical, but there are a couple of limiting factors in each.   

The Free certificates are issued by a provider such as Let’s Encrypt which exists on the server.   They have minimal validation, primarily do a domain check which ensures the domain exists on the server that is issuing it and that DNS is pointing to that server.  Each certificate will not cover *.domain.com but, does provide coverage for any subdomains configured up to the providers limit. This feature usually costs extra from a third party provider such as GlobalSign. These SSL’s have a 90-day lifespan but will auto-renew every 3 months

With both of these SSL’s, the process, implementation, and coverage are the same. The differences here are in the expiration dates (with a purchased DV SSL will usually be a full years coverage and the additional cost) These SSL’s generally do not cover the subdomains, which can cost a bit more in add on fees.

Multi-Domain and Wildcard SSL

Lastly, Multi-Domain and Wildcard SSL are available with each of the types mentioned above and offer additional coverage for subdomains and/or multiple domains. The overall value has decreased since the introduction of services like Let’s Encrypt and AutoSSL which performs the same function at a far lower cost. 

Choosing Your SSL

In summary, SSL’s are a very cost effective way of securing how your clients connect, interact and conduct transactions on your site. Your final choice is to decide how much you and your clients will want an increased level of security and validation If you are concerned about data security, utilizing an SSL is a solid start. 

Courtesy of https://r8s.io/2e
Courtesy of https://r8s.io/2f