What is SSL, TLS and HTTPS?

What is an SSL Certificate?

SSL stands for Secure Sockets Layer and, in short, it's the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.

TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from DigiCert you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.

HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.

Compare SSL Prices

Introduction to SSL

Learn how SSL works to protect online information and increase trust in websites.

For online businesses or websites which accept credit or debit card payments, or involve the transfer of personal or sensitive information such as names and addresses, an SSL certificate is a necessity for website security. It's an essential way of making sure sites are secure and customers are protected, but crucially it also adds the appearance of security to online sites.

An SSL certificate is installed on the server side but there are visual cues on the browser which can tell users that they are protected by SSL. Firstly, if SSL is present on the site, users will see https:// at the start of the web address rather than the http:// (the extra "s" stand for "secure"). Depending on what level of validation a certificate is given to the business, a secure connection may be indicated by the presence of a padlock icon or a green address bar signal.

Google now advocates that HTTPS, or SSL, should be used everywhere on the web and, as of 2014, the search engine has been rewarding secured websites with improved web rankings, another great reason for any site to install SSL.

Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. When you buy an 'SSL' certificate from DigiCert, you can of course use it with both SSL and TLS protocols.

Levels of business authentication

As well as encryption, Certificate Authorities (CAs) can also authenticate the identity of the owner of a website, adding another layer of security. The SSL certificate is then used as proof of the company's identity. Certificates can be divided into three authentication groups, based on the level of authentication, which are:

Domain Validation Certificates

Organization Validation Certificates

Extended Validation Certificates

These vary slightly in purpose and function. It's worth knowing a little more how each of them works before deciding which is the most suitable.

Domain Validation SSL Certificates

These require businesses to prove their control over just the domain name. The certificate contains the domain name that was supplied to the issuing authority as part of the request. Because the identity of the organization is not checked here, Domain Validated certificates are the most basic level of SSL certification, and are only appropriate for test servers and internal links.

Organization Validation SSL Certificates

This requires the applicant to not only prove they own the domain name they wish secure, but also prove that their company is registered and legally accountable as a business. The issued certificate is then proof of domain and company name. This level of authentication is suitable for public-facing websites that collect personal data from site users. Note that individuals cannot obtain such certificates, only organizations and businesses.

Extended Validation SSL Certificates

Extended Validation SSL helps protect users from providing their details to fake website which can be used by criminals for phishing. EV SSL requires both of the above validations for domain and company as well as several additional verification steps related to proving that the SSL certificate belongs to a registered company. This extra company information is then represented in the issued certificate on the address bar and can be accessed from many web browsers by clicking on the padlock icon. When visiting a site with EV SSL many browsers exhibit a green address bar as a highly visual sign of trust in the website and business to handle personal information. This type of certificate is also available to organizations and businesses only.

SSL Certificates

Optimize your website for security trust with SSL Certificates and the Norton Seal.

Compare SSL Certificates

How does an SSL certificate work?

The basic principle is that when you install an SSL certificate on your server and a browser connects to it, the presence of the SSL certificate triggers the SSL (or TLS) protocol, which will encrypt information sent between the server and the browser (or between servers); the details are obviously a little more complicated.

SSL operates directly on top of the transmission control protocol (TCP), effectively working as a safety blanket. It allows higher protocol layers to remain unchanged while still providing a secure connection. So underneath the SSL layer, the other protocol layers are able to function as normal.

If an SSL certificate is being used correctly, all an attacker will be able to see is which IP and port is connected and roughly how much data is being sent. They may be able to terminate the connection but both the server and user will be able to tell this has been done by a third party. However, they will not be able to intercept any information, which makes it essentially an ineffective step.

The hacker may be able to figure out which host name the user is connected to but, crucially, not the rest of the URL. As the connection is encrypted, the important information remains secure.

SSL starts to work after the TCP connection is established, initiating what is called an SSL handshake.

The server sends its certificate to the user along with a number of specifications (including which version of SSL/TLS and which encryption methods to use, etc.).

The user then checks the validity of the certificate, and selects the highest level of encryption that can be supported by both parties and starts a secure session using these methods. There are a good number of sets of methods available with various strengths - they are called cipher suites.

To guarantee the integrity and authenticity of all messages transferred, SSL and TLS protocols also include an authentication process using message authentication codes (MAC). All of this sounds lengthy and complicated but in reality it's achieved almost instantaneously.

Manage SSL Certificates

Optimize your website with the most robust TLS certificates in the industry and the most recognized trust mark, the Norton Seal.

How to know if SSL is needed

The fact that Google is pushing for HTTPS across the web and prioritising sites that have an SSL certificate probably indicates just how much SSL is needed, but here are some other top reasons for getting an SSL certificate.

Secure purchases

According to Business Insider 74% of shopping carts are abandoned but up to 64% can be recovered with better checkout security and flow. Many of these 64% are more likely to complete a purchase if they know the checkout area is secure. That's not a number businesses can afford to ignore. Even if they're only using SSL for their checkout area, it's well worth it.

Offering memberships

If sites offer membership or anything that involves collecting email addresses and other sensitive information, then SSL is a good idea. It's always sensible to keep customer information as safe as possible.

If forms are used

The same applies if they use any kind of form where users will be submitting information, documents, or images. It is surprising how much information is collected about a site's visitors, so it's worth keeping it safe.

If it's simply a blog or a standard 'info only' kind of site, HTTPS can help to protect the security of sites, reducing the risk or tampering and intruders injecting ads onto the page to break user experience. Plus, it really can't hurt in terms of search engine rankings.

Does SSL work across all devices?

In short, the answer to this question is yes it does. Of course, there are some configurations that will not work 100% so it is can be valuable to talk with the Certificate Authority's sales team if unsure.

Devices and operating systems

Again all of the big operating systems for computers, tablets and mobile phones are supported. However, in the case of mobiles, it might be that some older devices won't support newer SSL or TLS protocols so it's worth doing the research to ensure maximum compatibility. The SSL certificate provider can help with this if there are any doubts.

Browser compatibility

People use a range of different browsers (Chrome, Firefox, Safari etc) to access web content. Just as sites are created to work on all browsing platforms, SSL/TLS from a reputable provider will also work in 99% of cases. Unless users are accessing the site from very niche browsers, all the big names will be covered.

Servers

Thanks to the way SSL works, servers don't really need to have root certificates embedded but you will need to install the corresponding intermediate certificate(s). As long as the certificate is installed correctly, it can be supported by any server. It's up to the browser to determine if it's trusted or not during the handshake process.

Key Services and Features

Learn more about how our services help extend security on your website beyond SSL.

What are the visual implications of SSL?

As we've referred to a number of times throughout this guide, it is often the visual impact of an SSL certificate that has the biggest effect on users and potential customers. But how exactly does this work and what visual form will an SSL take on a site?

As with any purchase, online or not, most people will be more likely to buy from a reputable dealer. Certificates to prove authenticity or expertise in a certain field go a long way to making customers feel more secure.

That's exactly the visual impact an SSL certificate can have on potential clients. SSL and TLS are the industry's best and most accepted standards of security and certificates should be proudly displayed where everyone can see them.

First of all, it will appear in the address bar. The site's pre-x will be https:// rather than the http:// and users are more frequently insisting on the difference.

The presence of the padlock icon in the address bar is also a big indication of safety. It reassures customers that their connection is secure and encrypted. And, as we've mentioned, it can make people more likely to complete a transaction.

By using the most secure form of certificate - the Extended Validation SSL certificate - the company name appears in green in the address bar. It's another sure-re way of letting customers know that it's 100% legitimate.

Lastly, many SSL certificates come with a seal image, which can be used on the site to display the brand of SSL which is being used. Let customers know that their security and information is protected and they'll be far more likely to trust the site with their cash. Research from 2013 shows that DigiCert SSL's SSL seal is the most recognized on the web.

What is an SSL Connection Error?

An SSL connection error occurs when the page being accessed has some security issues. They occur for users' protection, interrupting access to inform them that there may be some security concerns if they progress.

They can take a number of forms, often differing with the choice of browser. In some instances, the page may go red with the https:// pre-x also highlighted in red. Using Google Chrome, there are a number of messages that users might see appear on their screen. These include 'your connection is not private' or simply that 'this webpage is not available'.

It might be as the result of outdated security code on the website and doesn't necessarily mean that the site being accessed is suspicious, but users should take connection errors seriously, especially if they are not 100% sure about the destination site.

Whilst there are ways to circumnavigate SSL connection errors, it is strongly recommended that users don't.

If in website development trials it is found that the site is suering from SSL connection errors then it is imperative to do something about it quickly. This may involve updating the security settings or simply acquiring a more adapted SSL certificate. This will help browsers to establish that the site is secure and allow users to access it without safety warnings.

Does SSL Work on Email?

Most of the big email providers use SSL encryption to encrypt users' mail. In most cases, the SSL option will be automatically checked in email settings. To retrieve mail that has flagged up an error message the user may have to uncheck this option.

If the account where users retrieve mail supports SSL then they can select this option to have data sent through a secure connection.

If a company is setting up its own email service the IT team may need to check with their provider that they are also secured by SSL. This will eliminate security problems when sending out mail shots and individual mail.

How to implement an SSL certificate on a site

Depending on how a site is hosted and where, there are various ways of adding an SSL certificate. In some cases, if there's an ecommerce element on the site, it will be a requirement to have a certificate. Major hosting providers often offer hosting packages including SSL certificates.

It may also be possible to transfer an existing SSL from other hosts (exporting it from the original server and importing it on the new server). It will be necessary to follow the special instructions on the webhoster's site. Note that some Certification Authorities require you to purchase a server license for each server that will host the certificate.

Click Here for full installation instructions

Trust and Your Business

Learn how DigiCert SSL helps boost your business by giving customers the confidence to click.

SSL Summary

SSL is an important security tool for business and one that is playing an increasing role in the success of online transactions. It's really not that complicated to buy and install, and help is available along the way with many SSL providers.

An https:// pre-x and padlock icon are just a few clicks away and can have a big impact on business; increasing sales, building consumer confidence and boosting web rankings all with one industry standard certificate.

SSL Glossary

256-bit encryption Process of scrambling an electronic document using an algorithm whose key is 256 bits in length. The longer the key, the stronger it is.

Asymmetric cryptography These are ciphers that imply a pair of 2 keys during the encryption and decryption processes. In the world of SSL and TLS, we call them public and private keys.

Certificate signing request (CSR) Machine-readable form of a DigiCert certificate application. A CSR usually contains the public key and distinguished name of the requester.

Certification authority (CA) Entity authorized to issue, suspend, renew, or revoke certificates under a CPS (Certification Practice Statement). CAs are identied by a distinguished name on all certificates and CRLs they issue. A Certification Authority must publicize its public key, or provide a certificate from a higher level CA attesting to the validity of its public key if it is subordinate to a Primary certification authority. DigiCert is a Primary certification authority (PCA).

Cipher suite This is a set of key exchanges protocols which includes the authentication, encryption and message authentication algorithms used within SSL protocols.

Common name (CN) Attribute value within the distinguished name of a certificate. For SSL certificates, the common name is the DNS host name of the site to be secured. For Software Publisher Certificates, the common name is the organization name.

Connection error When security issues preventing a secure session to start are flagged up while trying to access a site.

Domain Validation (DV) SSL Certificates The most basic level of SSL certificate, only domain name ownership is validated before the certificate is issued.

Elliptic Curve Cryptography (ECC) Creates encryption keys based on the idea of using points on a curve to dene the public/private key pair. It is extremely difficult to break using the brute force methods often employed by hackers and offers a faster solution with less computing power than pure RSA chain encryption.

Encryption Process of transforming readable (plaintext) data into an unintelligible form (ciphertext) so that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).

Extended Validation (EV) SSL Certificates The most comprehensive form of secure certificate which validates domain, require very strict authentication of the company and highlights it in the address bar.

Key exchange This is the way users and server securely establish a pre-master secret for a session.

Master secret The key material used for generation of encryption keys, MAC secrets and initialization vectors.

Message Authentication Code (MAC) A one way hash function arranged over a message and a secret.

Organization Validation (OV) SSL Certificates A type of SSL certificate that validates ownership of the domain and the existence of the organization behind it.

Pre-master secret The key material used for the master secret derivation.

Public key infrastructure (PKI) Architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. The PKI consists of systems that collaborate to provide and implement the public key cryptographic system, and possibly other related services.

Secure server Server that protects host web pages using SSL or TLS. When a secure server is in use, the server is authenticated to the user. In addition, user information is encrypted by the user's web browser's SSL protocol before being sent across the Internet. Information can only be decrypted by the host site that requested it.

SAN (Subject Alternative Name) SSL certificates Type of certificate which allows multiple domains to be secured with one SSL certificate.

SSL Stands for secure sockets layer. Protocol for web browsers and servers that allows for the authentication, encryption and decryption of data sent over the Internet.

SSL certificate Server certificate that enables authentication of the server to the user, as well as enabling encryption of data transferred between the server and the user. SSL certificates are sold and issued directly by DigiCert, and through the DigiCert PKI Platform for SSL Center.

SSL Handshake A protocol used within SSL for the purpose of security negotiation.

Symmetric encryption Encryption method that imply the same key is used both during the encryption and decryption processes.

TCP Transmission control protocol, one of the main protocols in any network.

Wildcard SSL certificates Type of certificate used to secure multiple subdomains.

MANAGEMENT TOOLS

SSL/TLS CERTIFICATES

Code Signing Certificates

PARTNER PROGRAMS

TLS/SSL Certificates RENEW

Management Tools

Code Signing Certificates RENEW