What SSL Is, and Which Certificate Type is Right for You

This article is sponsored by GoGetSSL. Thank you for supporting the partners who made SitePoint possible.

The incidence of cybercrime has risen sharply over the past decade. Many well-known corporate organizations and government agencies that have not yet implemented adequate cybersecurity measures have suffered losses. Google has begun to take a tough stance on sites that do not use HTTPS. If a visitor is about to submit any information through an unsafe connection, a warning will be issued.

This article will guide you on how to protect customers and businesses from privacy violations and data theft. You will learn how to use SSL technology to protect your website and applications from leaking sensitive data to eavesdroppers.

This article will not explain how to install SSL, because this is an advanced topic. You can find more information about the installation process here.

Key Points

• SSL (Secure Sockets Layer) is an encryption protocol designed to protect communications on computer networks. It is especially important for protecting sensitive information transmitted over the Internet, such as login credentials and credit card details.
• SSL certificates are issued by Certificate Authority (CA) to verify the identity of the website and enable secure, encrypted communication. These certificates usually contain the subject name, public key, digital signature, issuer, and valid date.
• There are different types of SSL certificates to meet different needs, including domain validation SSL certificates, public IP SAN SSL, wildcard SSL, and multi-domain SSL certificates. The choice of a certificate depends on factors such as the number of domains and subdomains you want to protect, and whether you want to protect a public IP address.
• Legal Entity Identifier (LEI) is a unique code used to identify any global company involved in financial transactions. It can be used to simplify and speed up the business verification process for SSL certificates.

Simple explanation of SSL

Imagine you are in a hotel room, using your laptop to connect to the hotel's WIFI. You will be logged into the bank's online portal soon. Meanwhile, a malicious hacker cleverly booked the room next to you and set up a simple station to listen to all the network traffic in the hotel building. All traffic using the HTTP protocol can be viewed in plain text by hackers.

Suppose the bank's website only uses HTTP, then the form details such as username and password will be seen by the hacker once you press the submit button. So how do we protect this data? The answer is obviously encryption. Data encryption involves converting plain text data into something that looks garbled—that is, encrypted data. To encrypt plain text data, you need what is called an encryption algorithm and a password key.

Suppose you want to encrypt the following data:

<code>Come on over for hot dogs and soda!</code>

The encrypted form is as follows:

<code>Come on over for hot dogs and soda!</code>

Using current computing power, decrypting the above messages without a password key may take more than a lifetime. Unless they have a password key to encrypt it, no one can read it. This type of encryption is called symmetric encryption. Now that we have figured out how to protect the data, we need a secure way to securely transfer the password key to the recipient of the message. We can do this by using an asymmetric encryption system called public key encryption.

Public key encryption uses a pair of mathematically related password keys:

• Public key: can be shared safely with anyone
• Private key: It must not be transmitted, it must be kept confidential.

When one key is used for encryption, another key is used for decryption. The same key cannot be used to decrypt the content it encrypts. Here is a description of how it works:

However, we cannot trust any public keys sent to us, as they can be generated by anyone. To ensure the authenticity of public keys, they need to be packaged into so-called SSL certificates. This is a signed digital file containing the following information:

Tubject name: personal, organization or machine name
Public Key
Digital signature (fingerprint of certificate)
Issuer (the entity that signed the certificate)
Expiration date (start date and expiration date)

I only listed the required items. SSL certificates usually contain more information. Here is a real example:

As you can see, the above certificate is signed (see the thumbnail section). Digital signatures are just encrypted hashes of files. Let's first explain what hash is. Suppose you have a document with 100 words and you run it through a hashing program. You will get the following hash:

<code>wUwDPglyJu9LOnkBAf4vxSpQgQZltcz7LWwEquhdm5kSQIkQlZtfxtSTsmaw
q6gVH8SimlC3W6TDOhhL2FdgvdIC7sDv7G1Z7pCNzFLp0lgB9ACm8r5RZOBi
N5ske9cBVjlVfgmQ9VpFzSwzLLODhCU7/2THg2iDrW3NGQZfz3SSWviwCe7G
mNIvp5jEkGPCGcla4Fgdp/xuyewPk6NDlBewftLtHJVf
=PAb3</code>

If you change anything in the document, even if you add a period, a brand new hash value is generated when you run the hash function again:

<code>46798b5cfca45c46a84b7419f8b74735</code>

The sent hash does not match the generated hash, which means that the file has been changed. This is the first line of defense to ensure that the SSL certificate has not been changed. However, we need to verify that the sent hash value is created by the issuer of the certificate. This is done by encrypting the hash value using the issuer's private key. When we perform a local hash on the certificate and then decrypt the signature of the certificate to get the sent hash value, we can compare the two. If it matches, it means:

The certificate has not been changed by others
We have evidence that the certificate is from the issuer because we have successfully decrypted the signature using its public key
We can trust the authenticity of the public key attached to the SSL certificate.

Now, you may be wondering where we get the issuer's public key and why we should trust it. The issuer's public key is pre-installed in our operating system and browser. Issuer is a trusted certificate authority (CA) that signs certificates according to the official CA/browser forum guide and NIST recommendations. For example, here is a list of some trusted issuers/CAs that you will find on your Microsoft operating system. Even smartphones and tablets, operating systems and browsers have similar lists preinstalled.

According to a survey conducted by W3Techs in May 2018, the following authorities account for approximately 90% of valid certificates issued worldwide:

• IdenTrust
• Comodo
• DigiCert (acquired by Symantec)
• GoDaddy
• GlobalSign

Now that you have learned about encryption and SSL technology, it's best to review how to securely log into the bank portal using HTTPS without having your traffic read next door hackers.

1. Your laptop browser first requests its SSL certificate from the bank's server.
2. The server sends it. The browser then checks whether the certificate is true based on the trusted CA list. It also checks that the certificate has not expired and has not been revoked.
3. If all checks pass, the browser will generate a new password key (also known as the session key). Use the public key found on the SSL certificate, encrypt it, and send it to the server.
4. The server uses its private key to decrypt the session key.
5. From now on, all back and forth communications will be encrypted using a session key. Symmetric encryption is faster than asymmetric encryption.

This means that form data sent from the laptop and HTML data from the server will be encrypted using a password key that is not accessible to the hacker. What you see in the captured traffic log will be just garbled letters and numbers. Your information is now protected from the Eye of Snooping.

Now that you understand how SSL works in general, let's move on to the next section to learn about the different types of SSL certificates we can use.

SSL type

Domain Verification SSL Certificate

Domain verification is the most affordable and common type of SSL certificate that can be issued to anyone to protect public domain websites. In order to purchase this type of SSL certificate, you need to prove that you are the owner of the domain you want to protect. That's why it's called domain validation. This is done in one or more of the following ways:

• Create DNS TXT record
• Reply to email contacts sent to the domain whois record for registered emails
• Reply to an email sent to a well-known administrative contact in your domain (such as admin@domain.com)
• Publish random numbers provided by automatic certificate issuance system

As of September 2019, Google Chrome is currently the most popular web browser, accounting for about 70% of the global desktop browser market share. Google recently strengthened its stance on site owners enforcing security protocols to ensure that end users’ privacy is protected. Unprotected websites will be marked as unsafe. If users try to submit forms to unprotected sites, they will also be strongly advised not to do so. If the SSL certificate of the website expires or is invalid, the website will be temporarily blocked.

If you don't want to lose valuable traffic because your website is not protected, you need to make sure you get at least a domain-verified SSL certificate. It only takes 5-8 minutes to obtain a certificate.

Public IP SAN SSL

SSL certificates are often used to protect fully qualified domain names, such as www.domain.com. If you want to protect a public IP address, you need to obtain a public IP SAN SSL certificate. SAN represents the principal alternative name, which is a field on the certificate field that can be used to save the IP address.

Wildcard SSL

The normal SSL certificate is only available for a single domain, such as www.domain.com. If you want to protect the subdomain, you must purchase a new SSL certificate for this. Instead of buying a new SSL certificate for each subdomain you manage, you can simply buy a wildcard SSL certificate, which will work for your subdomain, i.e. *.domain.com. It is more cost-effective than buying multiple SSL certificates. Using an SSL certificate is also easier to manage.

However, if the subdomain is compromised, it means that all subdomains using the same certificate are compromised. You need to revoke it and request a new certificate. If you don't want to encounter such problems, you can also purchase one separately.

Multi-domain SSL certificate

As the name implies, you can purchase a multi-domain SSL certificate, which can protect up to 250 domains and subdomains. This type of certificate is especially useful for protecting hundreds of office communication servers that may span different geographical areas. Even if the traffic is limited to the company's network, it's best to use SSL for protection, as rogue employees can easily monitor and record everyone's traffic.

Easy business verification with LEI code

Since 2019, organizations can be verified worldwide using LEI (Legal Entity Identifier) ​​codes. This simplifies and significantly speeds up the verification process. Enterprises can obtain LEI codes through the official GLEIF registration agency.

Legal Entity Identifier (LEI) is a unique code used to identify any global company involved in financial transactions. This process is carried out in accordance with international standard ISO 17442. The goal is to help monitor and measure systemic risks and effectively and inexpensively support compliance with regulatory reporting requirements.

Summary

I hope you have enough information now to decide which SSL certificate to purchase. Please note that the SSL certificate is valid for only two years. This is a security feature that ensures that the information on the certificate remains up to date. It also ensures that any missing keys are not used to penetrate traffic. Free SSL certificates are usually valid for 90 days. If you want to make sure you don't forget to purchase renewal, you can get a 3-year or 4-year subscription plan. Please note that the two-year limit rate applies. You will receive a contact at the end of the expiration date to replace the certificate with a new one. The advantage of choosing a longer subscription plan is that you can save money compared to annual purchases.

SSL FAQ

What is SSL? SSL (Secure Sockets Layer) is an encryption protocol designed to provide secure communication on a computer network. It is usually used to protect data transfer between user's browser and website server.

Why is SSL important? SSL is important for protecting sensitive information transmitted over the Internet, such as login credentials, credit card details, and other personal data. It encrypts data to prevent unauthorized access and eavesdropping.

What is an SSL certificate? An SSL certificate is a digital certificate that is used to verify the identity of a website and enable secure, encrypted communication. It is issued by a Certificate Authority (CA) and contains information about the certificate holder.

How to get an SSL certificate for my website? To obtain an SSL certificate, you can purchase one from a Certificate Authority (CA), or use a certificate provided by a trusted CA, such as Let's Encrypt. After you have obtained the certificate, you need to install it on your web server.

What is HTTPS? HTTPS (Hypertext Transfer Protocol Security) is a secure version of HTTP. It uses the SSL/TLS protocol to encrypt data transmitted between the user's browser and the website server. Websites using HTTPS display lock symbols in the address bar.

The above is the detailed content of What SSL Is, and Which Certificate Type is Right for You. For more information, please follow other related articles on the PHP Chinese website!