SSL Certificates Explained
Are you confused about SSL certificates? Do you need one? What do they cost?
This article builds on the previous article Internet Terminology for Beginners.
What do SSL Certificates do?
Put simply, an SSL certificate associated with your website will allow it to display a padlock symbol on your website indicating that it is secure. It allows the web address to be accessed using https://.... rather than http://...
Normally, traffic sent over the Internet is sent in clear text. This means that it is possible for unscrupulous third parties to intercept that traffic and see what is being transmitted. Normally, this doesn't matter - if all they are seeing is the latest weather forecast being downloaded from the Met Office web site, for example. But if that information contained your credit card details, or even your user id and password to login to your email account, then if someone else were to see that traffic, the consequences could be very serious.
An SSL certificate allows data to be encrypted whilst it is transmitted to and from your website and your customer's browser. This prevents the information being seen by anyone else whilst it is travelling across the Internet.
Once I have an SSL Certificate, are all of my Web Pages Secured?
Encrypting your web pages is only strictly necessary on pages that submit sensitive information (such as a login page or a checkout).
In late 2015, however, Google and Mozilla decided that, as the devices typically running web browsers become powerful enough to cope with the overhead of encrypting and decrypting web pages without a noticeable overhead, there was no longer a good reason not to encrypt every page on a site. As a result, Google started giving some extra weighting to sites that operated in https mode throughout.
So, whether all of your web pages are secured or just those that submit sensitive information will largely depend on the age of the site. For example, all sites built by axisfirst since early 2016 have operated in https mode throughout.
What is an EV SSL Certificate?
A standard EV certificate does nothing except encrypting the data between the website and the browser. An EV SSL certificate additionally provides some reassurance to the customer that the website that they are dealing with belongs to the organisation that it claims to.
In essence, anyone can register any domain name that is available and once you own that domain name, you can register a standard SSL certificate.
In order to register an EV SSL certificate, however, you must also prove that you are the legal entity that the website purports to be. An EV SSL certificate does nothing more than a standard SSL to protect the data in transit between the browser and the website - it's sole additional purpose is to reassure your customers that you are who you claim to be.
This is achieved by requiring anyone attempting to register an EV SSL certificate to provide more information on their organisation.
How Does My Customer Tell That I have an EV SSL Certificate?
The value of EV SSL certificates used to be minimal, as the general public was not aware of them. The latest incarnations of most popular web browsers do now, however, show them differently and this now means that EV SSL certificates are beginning to carry more weight.
Google Chrome, for example, will show a standard SSL certificate like this:
whilst an EV SSL certificate is shown like this:
Is There An Additional Cost for EV SSL?
Yes. EV SSL certificates are significantly more expensive because of the additional administrative steps that the issuing authorities must go through to validate that the applicant is who they say they are. Retail (B2C) websites in particular, however, should seriously consider the benefits to be had from the additional reassurance that they offer their customers.