SSL: What is it? Do I need it?
SSL (Secure Socket Layer) is the industry standard to secure a link between two computers, usually server and client. SSL and its successor TLS are so your first choice, but do you really need it? And when should you use it?
Notice: I will use TLS and SSL interchangeably.
What is SSL?
Before we start diving into the topic let’s speak a bit of what SSL is. SSL is a protocol that adds a security layer to services, its most common use is probably with HTTP becoming HTTPS, that S by many mistaken with Secure, means over Secure Socket Layer: SSL. Using TLS doesn’t result in HTTPT however; it is always HTTPS. The structure of TLS is rather complicated for beginners and can be hard to understand even by intermediate users, it is however a fundamental of security so let’s strip the concepts to the bone. To use SSL you need a certificate, for a certificate to be valid it must be signed. So, to secure your website (you’re only securing the link, not the site itself) you first need to create a certificate. That is accomplished by having a Private/Public Key pair and using the keys to create a Certificate Signing Request (CSR). Creating the CSR you will have to answer to simple questions like:
- What is the domain the certificate will be valid for?
- Who is the person/organization responsible?
- What nationality is him/it from?
These information are publicly available in the resulting certificate and a change in these information results in a change of the certificate file itself. Once you’ve generated the CSR, the next step is submitting it to a Certificate Authority. A CA is an organization that uses its own Private/Publick Key pair to authenticate (sign) certificates, making them valid.
Beware: trust is a subjective matter and certificate authorities may or may not be trusted from your point of view. As a matter of fact CA are allowed to sign certificates internationally because they adhere to strict standards, however a compromised CA may threaten the certificates themselves thus voiding the purpose of SSL.
When should I use SSL/TLS?
Many think that SSL should be used everywhere and always to protect users’ privacies. Other people think that only pages containing forms/sensible informations should use SSL.The real answer is a question: How much you care? Do I mind someone might know you’re reading this page (and he is able to read it too)? If so, SSL is needed. Imagine if you had your bank statement in front of you. Makes you want to be protected and that no one should read it, right? Well SSL should also be used when sending login credentials, credit card numbers, private communications and so on. TLS done properly also ensures you’re connecting to the right server thus avoiding identity problems. Imagine a thief had disguised himself to become someone you would lend money to. You wouldn’t even know you are lending money to a thief. As a matter of fact eCommerce sites, banks, hospitals and similar should always use SSL.
If you decide to buy a certificate from a Certificate Authority you will probably be facing different types of certificates with different prices. Let’s list some:
- Domain Validation: This certificate is issued for one domain name only and is used to demonstrate you have the right to manage the domain itself.
- Organization Validation: The DV certificate is issued almost automatically, without human checks, the OV certificate on the contrary assures (if you trust the CA) that the organization exists and owns the domain.
- Extended Validation: Top notch of the certificates is EV, also known as Green Bar because it causes browser to display a green bar in the navigation bar. This special type of certificate is issued following different rules depending on each CA. The process of validation, which is extensive, makes the certificate more trustworthy and also more expensive.
To add complexity there are also multiple-domains and wildcard certificates that can be applied to each of these three types. Multiple-domains define aliases whilst wildcard cover ranges and are usually used in sub-domains.