What happens when a client connects to an SSL-secured Web site? The first step is that the browser tries to connect to the web server, asking for its certificate, in order to verify whether the server has an SSL-secure connection or not. The latter will answer with a copy of its SSL certificate, and this way the browser can verify if the certificate is valid. If it is the case, it sends a message to the web server that it is ready to perform the SSL handshake.
Not all SSL certificates are the same. Some offer basic security like data encryption, while others offer more security properties, like authentication. In this post I will explain the different types of SSL certificates.
Self signed certificates can be issued by anybody and thus there is no chain of trust. The certificate has been signed by itself (imagine printing your own driver’s license). The web browser will then issue a warning, telling you that the certificate cannot be verified. These kinds of certificates are useful only for testing or development environments, where data security is not essential. An example of self-signed certificate looks like this:
In terms of data confidentiality, these certificates are as efficient as any other ones, because they provide encryption. The problem is that you don’t know if the company that issued this certificate really is who it claims to be. You cannot verify if you received the certificate from the right entity. Consequently, a hacker might forge his own certificate and give it to you, playing the Man In The Middle attack.
That is why you should not use self-signed certificates in production environments, as your visitors will not trust your web site to be safe.
Domain validated (DV) certificates are issued based on proof of control over a domain name. In most cases, that means sending a confirmation email to one of the approved email addresses. If the recipient approves, then the certificate is issued. These certificates offer basic encryption, are cheap and relatively quick to obtain. An example of DV certificate looks like this:
A step up from DV certificates, Organization validated (OV) certificates allow a company’s information to be checked through a secure site seal. The validation procedure is stricter than for Domain Validated certificates, checking both that the applicant has the right to their domain name and that they are a legitimate business. This in turn provides greater trust between the website operator and end user. These certificates are more expensive than DV ones.
Visually, in the browser bar, OV certificates are identical to DV certificates. However, in the case of OV certificates, a site seal is also provided, that includes additional information that is more trustworthy to the user. The advantage of this certificate over a DV certificate is that it not only encrypts data, but it provides a certain level of trust about the company or organization who owns the website.
Extended validated (EV) certificates also require identity and authenticity verification, but with event stricter requirements. They were introduced to address the lack of consistency in OV certificates. They offer a greater degree of authentication and inspire a greater level of trust, so it’s no surprise that the validation procedures are extensively documented. The reason behind this is that hackers usually go after high profile domain names. Because of this, Certificate Authorities refuse to issue certificates for them without careful and manual confirmation. Unlike DV certificates that can be quickly obtained, it can take days or even weeks to obtain an EV certificate.
These certificates are much more expensive, but you will get the most trusted symbol on the internet: the green address bar, along with a dynamic site seal and business’s name. An example of such certificate looks like this:
The table below compares the existent types of certificates and the level of security guaranteed by each one.
|Type||Cost||Issuance Time||Encryption||Business vetting||
next to URL
|Self Signed||Free||0-1 minutes|
|DV||5-10 $||1-5 minutes|
|OV||30-50 $||1-2 days|
|EV||100-500 $||1-10 days|
I hope that this post gave you a better understanding of the existent types of SSL certificates and that helped you make the right choice when choosing one for your business. The certificate you choose to purchase depends entirely on your needs. If you provide e-commerce services and collect sensitive user information, then an EV certificate is essential in order to maintain a trusted communication with your clients. On the other hand, if you’re running a small blog, an DV or OV certificate should be enough.