The modern “trusted Internet” is synonymous with two ubiquitous technologies: Secure Sockets Layer (SSL) and Transport Layer Security (TLS). This article deals with both. When accentuating their similarities, they’ll be dealt with together; at times, however, we’ll differentiate between the two. Regardless of which technology we’re discussing, cryptographic keys allow for encrypted private conversations between remote parties while digital certificates ensure that servers truly belong to the entities for which they represent online. These components comprise the Public Key Infrastructure (PKI) that makes secure conversations and transactions possible on the inherently insecure public Internet.
What indicators come to mind when you think of the “trusted Internet?” Is it the padlock icon? Or is it perhaps the “https://” designation in the browser address bar? Have you ever really looked at a digital certificate and verified that it is issued by a recognizable certificate authority (CA)? SSL encompasses all of these elements and more.
SSL became an Internet standard in 1994, with TLS being added soon thereafter. Both are constructed around a similar architecture using X.509 certificates. Although there are some differences between SSL and TLS, this document generally refers to the protocol as SSL/TLS, since the two share a common architecture. SSL/TLS is most often represented as HTTPS, but the protocol can be used to secure any TCP-based application. SSL/TLS is also popular for encrypting traffic between email clients and POP or IMAP servers, setting up secure tunnels between IDS sensors and management consoles, and supporting VPNs as a lower-cost alternative to IPSec.
SSL 3.0 debuted in 1996 and quickly became the Internet’s primary security mechanism. TLS is the successor protocol to SSL, allowing clients and servers to specify accepted hash and signature algorithms and support additional cipher suites. TLS 1.3 rolled out in 2018 and included several security and performance improvements. It also removed obsolete and insecure features from the 2008 TLS 1.2.
As of August 2019, best security practices by the National Institute of Standards (NIST) requires all government TLS servers and clients support TLS 1.2 (configured with FIPS-based cipher suites) and recommends agencies develop plans to support TLS 1.3 by January 1, 2024.
With cybersecurity at the forefront in this digital age, more internet users are wondering, “What does SSL mean?” and “How secure are the sites I use?” It benefits every website owner to know the answers and to take the necessary steps to establish trust with visitors to their site. And now we’ve covered what SSL means, but what is an SSL certificate? Read on.
SSL/TLS certificates play a critical role in secure and encrypted communications between a client and a server. First, the server’s certificate, containing its public key, is used by the client to determine whether the client should accept a trust relationship with the server. If the client accepts or validates the authenticity of the server, then the server certificate is used to establish a secure, encrypted channel for the ensuing session. These protocols are not new.
What Does SSL Stand For?
Most of us have probably heard of SSL even if we don’t come from a cybersecurity background—and even if our eyes have only glazed past the term on our browsers. But what does SSL stand for? SSL stands for Secure Sockets Layer, and TLS stands for Transport Layer Security. They are online security protocols to protect data sent across the internet.
An SSL certificate encrypts sensitive information, provides authentication, and bestows trust. The primary purpose of SSL is to encrypt sensitive information that is sent across the internet so that only the intended recipient can access it, protecting information against hackers and identity thieves.
An SSL certificate through a trusted provider also supplies verified authentication, so you can be sure that you are sending information to the right server, and not to a malicious imposter. A secure connection through SSL also instills more trust in your customers.
In addition, to accept credit card information on your site, you must comply with Payment Card Industry (PCI) standards. SSL is required for PCI compliance.
SSL/TLS is the foundation for a secure internet. It protects information and is essential for protecting your website, even if the site doesn’t handle sensitive information like credit cards, names and addresses, or passwords. It is also used to secure email and sharing of files. An SSL certificate provides privacy, data integrity, and critical security.
If your site asks for any personal information, an SSL certificate is necessary. In addition, search engines are taking note of perceived security lapses in websites, and they now issue warnings against any site not considered secure. Google uses SSL as a ranking factor, so without an SSL certificate, your site will be harder to find.
The price of an SSL certificate runs from cheap (some are even free) to very expensive. The adage, “You get what you pay for,” definitely applies. Your SSL choice depends on the type of website and your company. A large financial institution will pay thousands of dollars a year for their SSL certificate, but a blog or online portfolio will not require the same kind of security, so a less expensive certificate will probably suffice.
When you’re looking to get an SSL certificate, it’s important to get the right certificate from the right provider, or Certificate Authority (the organization that will issue the certificate and associated keys). A faulty or improperly installed certificate is no better than not having one at all. Fortunately, the process isn’t complicated:
Choose a Certificate Authority
Purchase and verify your SSL certificate
Download your SSL certificate files
Install your SSL certificate
Validate the SSL certificate and confirm that it is working
The process for installing an SSL certificate depends on the provider that you purchased it from. Some providers will streamline installation or take care of it for you, but for those who need to do it manually, installation steps are dependent upon your platform and operating system. This article contains instructions and tutorials for manual installation of an SSL certificate.
When you hear the word renewal, you may well think of your driver’s license, or maybe someone’s wedding vows. But of course we’re talking about cybersecurity. What is SSL certificate renewal? SSL certificates are hardcoded with expiration dates (a maximum of two years), so you must renew your SSL certificate before it expires. This provides greater protection and ensures your SSL encryption is up to date with the latest TLS versions and ciphers.
The SSL definition comes down to its name—Secure Sockets Layer—and as the term suggests, it provides a layer of security. There are five key benefits to SSL:
It protects data
It affirms your identity
It gives you better search engine ranking
It is a requirement for PCI/DSS (Payment Card Industry Data Security Standard) compliance
It improves customer trust
SSL does impact search rankings. In order to offer more protection to internet users, in 2014 Google changed its algorithm so that HTTPS was a ranking signal, which gave the upper hand to HTTPS-enabled websites. And in July of 2018, Google Chrome began marking all sites that do not have an SSL certificate as “not secure.”
SSL/TLS encrypts data sent across the internet, which protects against hacking and identity theft from third parties intercepting or “eavesdropping” on your site’s activities.
Cybersecurity is always improving and advancing. Unfortunately, so are the methods of those trying to breach that security. SSL is just one part of a site’s overall security. It’s important to stay current with SSL certificates to protect against hackers who take advantage of outdated encryption or ciphers. Protecting the private key to your certificate is also vital. Another tactic, while not technically hacking an existing certificate, is when fraudulent certificates are issued by hackers to add the appearance of legitimacy to fake websites.
In cybersecurity, a man-in-the-middle attack refers to when communication between two parties online is compromised by a third party. Attackers can eavesdrop to capture information from the exchange, or they can actively modify or tamper with the information. SSL/TLS protects against these attacks by encrypting all data with a private key given to the original SSL certificate holder. Attackers cannot read or tamper with the encrypted data without the private key.
SSL certificates protect data by using a key pair: a public key and a private key. Together, these keys handle encryption and decryption. An SSL also contains the identity of the certificate/website owner. While a hacker may see the public key, the private key is known only to the original certificate holder and their server. Therefore, unauthorized parties cannot decrypt the data.
TLS (Transport Layer Security) is an updated, more secure version of SSL. The term SSL is still commonly used, but at this time it usually refers to TLS protocol and certificates.
In 1999, TLS replaced the older SSL protocol as the preferred security mechanism. Now, it is recommended that any websites with the outdated SSL protocol disable it and enable TLS only. TLS 1.3 was released in 2018.
Like SSL, a certificate is used with TLS. However, it is important to understand that certificates are not the same as protocols. So you don’t need to choose between a TLS certificate or an SSL certificate. It may be more accurate to say these are “certificates for use with SSL and TLS,” since the protocols are determined by the server configuration, not the certificates themselves.
With increasing cybersecurity threats—not to mention search engines giving preferential treatment to sites perceived as more secure—any website owner should seriously consider adding SSL/TLS to their site. In addition to SSL encryption that secures data, an SSL certificate instills trust, affirms identity, performs better in search rankings, and is a requirement for PCI/DSS compliance to process payment online. It is an important step in enhancing online security and ensuring a safer internet experience for your customers.
Quite frankly, there is no realistic scenario in which your business website—no matter what service or product or idea you peddle—can reasonably expect to function without SSL/TLS today. It really is that crucial.