Choosing the right type SSL Certificate
Web Hosting Blog
So, what is an SSL Certificate?
SSL Certificates, or Secure Sockets Layer Certificates, are used to create trust, privacy and identify your business online.
They work by securing the flow of communication, through the use of encryption, between a website and internet users.
This helps to prevent MITM (Man-In-The-Middle) attacks on your data and acts as a deterrent to hackers by creating a secure connection between the browser and the server.
In order to get an SSL for your site you’ll need to have your domain registered. The CA’s, Certified Authorities, will need to be able to verify the domain before they can provide you with a certificate.
Once you have an SSL in place, internet users can easily identify the security of your site from the padlock icon next to the URL, also known as a trust seal. Once in place, “HTTPS” (Hypertext Transfer Protocol Secure) will also prefix your URL. Having the additional “S” at the end of HTTP denotes that the site is “Secure”.
Google prioritises security and as a result, factored HTTPS as a ranking signal as of 2014. As of May 2021, Google is also updating its algorithm to include Page Experience as a key factor. This will also take HTTPS into account alongside other elements such as load speed and stability.
You can check if your current SSL Certificate is valid through CWCS, just pop in your domain details here https://www.cwcs.co.uk/ssl-certificate-checker/
When choosing an SSL Certificate, you should consider the following factors:
Domains – The number of domains and sub-domains you want to secure will affect the type of certificate you require.
Security – What sensitive information is processed on your site and what customer data do you capture.
Support – What level of support is offered by the SSL provider. Do they have a troubleshooting team available? Free SSL providers won’t necessarily offer round the clock support.
Price – How much do you realistically need to invest into your SSL. Certifications can be valid for varying lengths of time so this is another element to consider.
Validation – The level of validation you wish to display through the certificate and what level of information this contains.
Warranty – Does the provider have warranty with their certificates? The higher the warranty, the more you are covered. Keep in mind that you won’t get warranty with a free SSL provider.
Reputation – It’s best to obtain your certificate from reputable CA’s (Certificate Authorities).
Issuance Time – For more advanced certificates, the process will take longer as a more in-depth verification process is required – hence the higher level of trust given by these certificates.
Pros and Cons of the different types of SSL’s
FREE SSL Certificates – Lets Encrypt
Let’s Encrypt is an open-source organisation who aim to provide a free option for website owners to secure their domains, and by extension the wider internet.
In 2015 Let’s Encrypt went through a legal battle with another SSL provider over their trademark but eventually won the case and managed to keep their name.
These are most suited to smaller businesses with a low number of web pages and who aren’t collecting data from their customers or visitors. They also work well for testing sites, blog sites and internal non-public facing sites.
Pros – Firstly, it’s free! Which is a great cost saving benefit to smaller businesses. It’s easy to install. You can automate renewals for sites by installing a plug-in for your control panel. You can benefit from a range of community support options. They also offer SAN, Subject Alternative Name, certificates to allow for multiple domain name protection.
Cons – If you haven’t installed the correct plug-in, you will need to manually renew your certificate every 3 months. It’s important to remember you don’t get a warranty with these certificates. Therefore, if there is an issue, you will not be entitled to receive compensation. You also have to bear in mind that you won’t have access to round the clock support due to it being open-source. Therefore, you may have to wait a while for troubleshooting and advice. Wildcard certificates are not available through free platforms.
Domain Verification (DV) SSL
Domain Verification SSL’s are a great option for businesses who need an SSL quickly and at little expense. DV’s require the CA’s to check that the applicant has the rights to use that specific domain name. They do this by obtaining a response from their DCV, or Domain Control Validation email. However, aside from this, no other company information is checked or verified. This means that only the SSS (Secure Site Seal) is displayed on the certificate along with the padlock icon and HTTPS.
Pros – They are issued almost immediately and you aren’t required to submit any paperwork. They also have the same browser recognition that OV’s and EV’s have, without the time implication of setup. This is also a very affordable option.
Cons – Your company information isn’t listed on the certificate itself meaning that essentially, anyone could register under your domain without actual proof of ownership.
Organisation Verification (OV) SSL
With OV SSL’s, CA’s must validate both the domain and the business before issuing the certificate. These are an elevated version of DV’s. These are ideal for e-commerce sites or sites dealing with sensitive customer data. These essentially verify that the organisation using the certificate is a registered government entity. They also check factors such as locality presence and sometimes even telephone verification.
Pros – Issued within 24 hours. Displays company information on the certificate. Offers higher bit encryption than DV’s. For e-commerce sites or sites that manage payment details, the higher the encryption, the better! OV Certificates are the only type that can be used to validate IP addresses where a domain isn’t registered.
Cons – Site visitors will have to know where to look in order to find the information. These can still take between 2 and 3 days to be issued.
Extended Verification (EV) SSL
These certificates are often used when the highest level of security is required. For example, government bodies or e-commerce sites would require EV’s to secure trust with their users.
Extended Verification requires the provider to verify the following information: the business has officially authorised the issuance, that they have the exclusive rights to the specific domain/s, that the businesses identity matches official records and that they can verify the legal and operational existence. It will also display the country in the address bar along with the business name.
Pros – These offer increased warranty and they have a higher validation level. It’s difficult for hackers to obtain EV certificates as it’s likely the CA would notice discrepancies in the applications. EV’s have the longest certificate length options of up to two years, unlike DV’s and OV’s who only run up to a year. Having an EV shows your customers you are doing everything you can to protect their data.
Cons – For single domains, this is by far the most expensive option. The issuance time is also lengthier than DV and OV Certificates as they can take between 3 – 5 days to obtain. The process can also be delayed if any discrepancies are found within the documentation, thus requiring the business to provide further details and evidence. Google is slowly phasing out the defining indicators of EV certificates from others. Unfortunately, the green address bar no longer comes with EV Certificates. Research has shown that it wasn’t as effective in preventing phishing attacks as initially thought and was still subject to being copied by malicious websites.
Multi-domain SSL’s
These are designed for businesses which have multiple domains (e.g., example.com, example.net).
Theses types of SSL’s can also be referred to as SAN certificates as the domains themselves are listed as Subject Alternative Names. This is the best option for businesses who want to secure multiple domains they operate.
Multi-domain SSL’s can also be referred to as UCC’s or Unified Communication Certificates and you have the flexibility to amend the domain names if required.
Pros – They can cover up to 100 domain names under just one certificate. This saves money, and time, on purchasing multiple certificates. Users will have the ability to easily manage and change or move domains as required. It can be used across as many servers and IP’s as needed and most providers will offer round the clock support.
Cons – Multi-domain SSL’s are only available with DV or OV. There is a risk of downtime when certificate updates are required as the certificate must be replaced on all the sites using the certificate.
Wildcard SSL’s
Wildcard SSL’s are ideal for covering a range of sub-domains. They allow you to manage an unlimited number of sub-domains under one certificate. This is great if you have an expanding site and want the option to add more sub-domains in future. Domains can fall into two categories to make them easier to manage: sub-domains and fully-qualified domains. For example, a wildcard SSL can protect www.example.com, blog.example.com, shop.example.com, but will not protect example.com on its own.
Pros – Great for businesses who are looking to scale online as they allow for easy growth and flexibility. You don’t have to purchase multiple certificates and equally don’t have to go through the whole validation process over and over. Of course, this also saves costs on having to purchase additional certificates.
Cons – Wildcards are only available in DV and OV Certificates. There can be compatibility issues with older operating systems. They also only cover one sub-domain level so if you need different levels of sub-domains then technically you would have to purchase one of each level which would be costly. If you have multiple people managing the SSL then you would have to share private key details which could increase risk of security. It’s also worth noting that if you are using just one certificate across multiple servers then a single compromise will result in you having to re-issue all the certificates.