How to choose an SSL certificate

All about SSL certificates. What features they offer and how to choose the best one for your website.

Introduction

SSL and TLS are two cryptographic protocols that allow us to maintain secure HTTP connections between client and server over HTTPS.

The security of the transmission comes from using a public key (which is distributed to the client) and a private key (which does the verification on the server). In this way and at no cost, we can connect client and server, ensuring that no one intercepts and decrypts the data transmission along the way.

So why are there companies selling certificates? There is an explanation. Although data is transmitted securely, no one ensures that you are sending data to who you say you are. For example, through DNS or the hosts file, we can make a domain point to a different IP and substitute the identity of the server.

For this reason, CAs (Certificate Authority) issue paid certificates to neutrally validate that the server to which data is being sent is who it claims to be.

Everything is based on trust. Browsers and operating systems have a copy of these certificates and compare them when trying to initiate a secure connection. Therefore, a certificate from an untrusted company cannot be validated in the browser and the padlock in the address bar will get the yellow warning color.

Some of the major certificate issuers are Symantec, Comodo, GeoTrust, Thawte, DigiCert, RapidSSL and Gandi.

The most basic and cheapest ones can be found at Comodo, RapidSSL and Gandi, where they can be found for less than 12 euros per year.

Characteristics of a certificate

To compare a certificate and choose the most suitable one we will look at a number of qualities they possess. These characteristics form three types of certificates: domain, company and extended validation (EV).

Normally a domain type certificate can be obtained in just 15 minutes by performing an online validation. That is why these types of certificates do not usually offer great guarantees.

In the case of enterprise and extended validation SSL certificates, documentation is requested to prove that you are who you say you are and that you have rights to the company for which you are requesting the certificate. Therefore it takes days and postal mail is used.

Warranty

The warranty is the coverage provided by the issuer of the certificate to cover financial loss as a direct result of their negligence.

This warranty is almost always found in enterprise and extended validation certificates, so in a small company we may not need a warranty or at least not a very broad one.

Encryption and key

Encryption is done using an encryption algorithm that must be compatible on both the server and the client's browser. The key reinforces this encryption to increase security.

Today almost all SSL certificates offer a 256-bit encryption and a 2048-bit key.

Scope of protection

The basic certificate only protects one subdomain, for example: www.example.com.

In the case of the wildcard certificate all subdomains are protected, e.g. example.com, www.example.com, blog.example.com, etc.

Another option is the multidomain certificate, which allows you to add several domains to the same certificate. However, only a few of them are included in the price (usually 3), the rest are added for an extra fee.

Security indicators

All SSL certificates provide a padlock in the address bar of the browser.

The green bar is an indicator of maximum security and its price reflects this. Only extended validation certificates include it, whose prices do not usually fall below $200 per year.

Various web browsers displaying their address bars with extended validation certificates
The "green bar", a security status upon payment

Some issuers also offer "dynamic site seal", which is a dynamically generated image that informs that the site is secure, so that we can use it in the footer of our website.

Other features

Other features to look out for when buying an SSL certificate are:

  • Servers: Some providers may charge when changing hosting or IP.
  • Years: The number of years an SSL certificate lasts before it needs to be renewed.
  • SGC: No longer of much use, but provided compatibility with Internet Explorer 5 and other browsers of the time using 128-bit SSL SGC.
  • Reissue: If you lose your certificate or wish to reissue it, some issuers may charge a fee.
  • Price: Of course, a determining factor when choosing is price. Compare before you decide.

Let's Encrypt

A few months ago Mozilla, Akamai, Cisco and the Electronic Frontier Foundation announced Let's Encrypt, a non-profit project that aims to make the Internet a secure place by issuing free and trusted SSL certificates.

Let's Encrypt is expected to go live in the middle of 2015. In the meantime, we already know how to choose a paid SSL certificate.

You can support me so that I can dedicate even more time to writing articles and have resources to create new projects. Thank you!