Websites need SSL certificates to protect user data, verify website ownership, prevent attackers from creating a fake version of the site, and convey trust to users. Still not enough of a motivation to get an SSL certificate? Let’s take a look at a little more detail.
Table of Contents
SSL certificate and privacy
If a website asks users to log in, enter personal details such as credit card numbers, or view confidential information (e.g. health status or financial information), it is essential to keep the data confidential. SSL certificates help keep online interactions between the sender and recipient of a message containing this information private and assure users that the website is authentic and secure and a trusted place to share private information.
More relevant for businesses than for individuals who may find themselves in the situations just described, is the fact that an SSL certificate is required to have an HTTPS web address. HTTPS is the secure form of HTTP, which means that HTTPS websites have their traffic encrypted by the SSL certificate. Most browsers mark HTTP sites, those without SSL certificates, as “not secure.” This sends a clear signal to users that the site may not be trustworthy, incentivizing businesses that haven’t done so to migrate to HTTPS.
What we protect with an SSL certificate
An SSL certificate helps protect information such as:
- Login credentials
- Credit card transactions or bank account information
- Personally identifiable information, such as full name, address, date of birth, or phone number
- Legal documents and contracts
- Medical records
- Proprietary information
But of course, it’s not all plain and simple: there are different types of SSL certificates with different levels of validation. The six main types are:
- Extended Validation Certificates (EV SSL)
- Organization Validated Certificates (OV SSL)
- Domain Validated Certificates (DV SSL)
- Wildcard SSL certificates
- Multi-Domain SSL Certificates (MDC)
- Unified Communications Certificates (UCCs)
- Extended Validation Certificates (EV SSL)
Let’s look at the three most common ones.
The Extended Validation SSL Certificate is the highest category type of SSL certificate and also the most expensive. It tends to be used for high-profile websites that collect data and involve frequent online payments and require more care than the lower levels. Once installed, this SSL certificate displays the padlock, HTTPS, company name, and country on the browser’s address bar. Displaying the website owner’s information in the address bar helps distinguish the site from malicious sites and provides a very important level of reliability and transparency. To set up an EV SSL certificate, the website owner must go through a standardized identity verification process to confirm that they are legally entitled to exclusive rights to the domain. It seems trivial but not all people selling products or services online are willing to go through this expense.
Organizationally Validated SSL Certificate (OV SSL)
This version of the SSL certificate has a similar level of assurance as to the EV SSL certificate because, to obtain one, the website owner must complete a substantial validation process. This type of certificate also displays the website owner’s information in the address bar, which is useful in distinguishing it from malicious sites. OV SSL certificates tend to be the second most expensive (after EV SSLs) and their main purpose is to encrypt sensitive user information during transactions. Commercial or public websites should install an OV SSL certificate to ensure that all shared customer information remains confidential.
Domain Validated SSL Certificate (DV SSL)
The validation process to obtain this type of SSL certificate is minimal, and as a result, Domain Validated SSL certificates, provide less assurance and minimal encryption than their predecessors. They tend to be used for blogs or informational websites, i.e. sites that do not involve data collection or online payments. This type of SSL certificate is one of the least expensive and quickest to obtain. The validation process only requires website owners to prove ownership of the domain by responding to an email or phone call. The browser address bar shows only HTTPS and a padlock with no company name displayed.