Not all Security Certificates are equal
Giving our website visitors assurance that any interaction between them and our websites is secure is paramount in earning their trust – especially in this digital age.
Most of us will have protected our websites – and any other publicly available resources – using a Security Certificate, commonly known as an SSL Certificate.
When you have on of these certificates for your website servers, that familiar small padlock in your browsers address bar is displayed, which gives visitors a visual indicator that the content from the website is being suitably encrypted during transmission.
Not all Security Certificates are the same, though; when you research SSL certificates online, you will see that there are different types with different validation levels.
For example, Domain Validation, Organisation Validation, and Extended Validation SSL certificates all offer the same level of encryption, but the validation requirements differ.
It is important to be familiar with the different types of SSL certificates so that you can get the right certificate for your website. This article explains the differences between the various types of SSL certificates available in the market.
Domain Validated certificates
A Domain Validated SSL Certificate (DV SSL) comes with up to 256-bit encryption and is compatible with 99.9% of web and mobile browsers. Website owners who only wish to validate their domains should adopt domain validated (DV) SSL certificates. A single Domain SSL certificate (DV SSL) can secure both www and non-www domain versions.
The validation process for the domain validated (DV) certificate is simple. Here, the user only needs to prove the domain ownership to the certificate authority (CA). The SSL certificate authority can ask for email verification or can check the website’s web registrar’s information to validate the domain.
Who should buy Domain Validated (DV) SSL?
Small or medium level website owners who only wish to encrypt their domain should buy DV SSL certificate. Compared with organisation validated (OV) & extended validated(EV) SSL certificates, the price of a domain validated (DV) certificate is much lower and even free if you visit //letsencrypt.org/.
Organisation Validated certificates
Organisation Validation SSL certificate is a high assurance SSL certificate which is used to validate a company/business/organisation. The main purpose of OV SSL certificate is to encrypt a website and both the business and the user’s sensitive information, which is being used for transactions.
It comes with a 2048-bit signature and powerful 256-bit encryption. It also displays the name of the organisation in the site seal, which is a trust indicator that shows the business is legitimate and assures that the information shared remains confidential. It increases customer’s confidence therefore improving the conversation rate of the business.
Compared with the Domain Validated (DV) SSL, organisation validated (OV) SSL is more trustworthy for online businesses.
To get the organisation validation SSL certificate from the certificate authority (CA), the user/organisation needs to submit the business documents to CA. Types of the documents required depends on the CA. If the CA finds the documents in line with its requirements, it will approve the request and issue the certificate.
But before verifying the documents, the CA verifies the domain ownership of the organisation. For domain verification, the CA can go with email verification, file based verification or can verify directly from domain registrar’s information
Who should Buy OV SSL Certificate?
You should definitely go for an OV certificate if you have an online business which involves collecting sensitive information from your users. Social networking platforms, banking platforms, Facebook games & apps, Firefox Add-ons, Google Chrome extensions are highly recommended to adopt OV SSL certificate for security purposes.
Most certificate authorities (CAs) offer OV SSL Certificate with unlimited number of server licenses so that the user can install it on any number of servers and can be reissued any number of times.
Extended Validated certificates
Extended Validation SSL Certificates offer a high level of safety and security which ultimately enhances the customer confidence. EV SSL certificate can provide an advanced level of security against phishing attacks, email fraud, and other cyber-attacks.
It displays business name in the URL, which shows the users that the business is genuine and verified by a trusted SSL certificate authority (CA).
The validation process of the EV certificates is stricter and takes more time compared to DV and OV certificates. Generally, a CA will first verify the business domain by checking the domain registrar’s information. After that, CA will ask the buyer to submit the business documents.
If the documents pass the EV validation guideline, the CA approves the certificate request and immediately issues it. The document requirement policy may differ from one CA to another.
Note: As EV SSL Certificate deals with Business validation, an individual user is not eligible to be issued an EV certificate.
Who should Buy EV SSL Certificate?
The business which deals with user’s payments details, sensitive information, etc. should apply for EV SSL certificate. Web security experts recommend adopting EV SSL Certificate for platforms such as E-commerce, Banking, Social Media, Health Care, Governmental and Insurance platforms. Not only large organisations, but small and medium level business can be issued EV SSL certificates (given that they have all the documents which follow CA’s guidelines).
OK, I’ve got my certificate, now what?
Once you have chosen which type of certificate you want and purchased it, you now need to install the certificate on your web server.
You can just install the server and forget about it (Until renewal that is!) but that’s not a good plan!
The certificate is only going to be as secure as possible if your web server is configured properly.
Earlier in this article we said that certificates were often referred to as SSL Certificates, this is because they relied on the SSL (Secure Socket Layer) protocol when they were first introduced 1994.
Unfortunately, there are major vulnerabilities in SSL and the use of version 3 of the protocol has been deprecated since 2015. Another more secure protocol called TLS (Transport Layer Security) was first introduced in 1999 as an upgrade to SSL v3, any TLS version is more secure than all versions of SSL but even early versions of TLS are still insecure, confused yet?
TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms, and they contain security vulnerabilities that may be exploited by attackers.
The industry is working to deprecate support for TLS 1.0 and 1.1 Google, Microsoft, Apple, and Mozilla have all announced that their browsers will no longer support TLS 1.0 and 1.1 as of March 2020.
So it goes without saying that your web servers should be configured to support only the latest versions of TLS (1.2 & 1.3)
If you already have a Security Certificate you can test it and your underlying servers security certificate configuration by visiting //www.ssllabs.com/ssltest/ this will analyse your certificate and highlight which protocols are enabled and responding to requests. You can use the output from this report to reconfigure your web server to ensure only the most recent and secure protocols are available.
What does this mean to visitors to my website?
We can’t sugar-coat this! In short, if your visitors are using an old browser that does not support the latest security protocols they will not be able to connect to your website. This really shouldn’t be an issue as the percentage of users in the world using unsupported browsers is incredibly low (Less than 3% at most), the following is a guide to which common operating systems DO NOT support TLS 1.2
· Android 4.3 and below
· macOS 10.6 and below
· iOS 8 and below
· Windows 7 (without TLS 1.2 patch) and below
What’s the main reason for this?
This change has been mandated by the PCI Security Standards Council, the organisation that oversees security standards related to online payments. They have stated “SSL has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control after June 30, 2016.”
In their latest PCI-DSS policy, SSL protocol version 3.0 or earlier, as well as early TLS versions, will not be considered “strong cryptography.” The reason for disabling SSL 3.0 and early TLS by the PCI Security Standards Council is to protect against recent vulnerabilities such as the POODLE exploit.