What, and why do you need a SSL certificate?

Posted on February 9, 2012

Recently Facebook made it mandatory to supply a “Secure Page Tab URL” for users on a HTTPS connection. This means that if you have a visitor to your Facebook page that has elected to browse Facebook via a secure connection and you haven’t provided a means for Facebook to reach your custom tab via a https connection the user wont be able to see your Facebook page tab.

If you have ever looked at setting up and online shop you’ve probably seen the requirement at some point for you to acquire an SSL certificate. The SSL certificate is part of the puzzle that will allow your visitors to view your site via a secure “https://” connection rather than the usual “http://” connection.  But how does this file, or collection of files make your site secure?

SSL certificates serve two functions. Firstly they hold your public and private keys. The keys are long strings of characters that are plugged into a mathematical formula that encrypts and decrypts the data moving between your server and the end user. This is a good start. Without this mathematical magic all your data is about as secure as a postcard in the hands of a nosey postman.

SSL certificates offer some other protection though. It is possible (a necessity ) to get them “signed” by a trusted party. The idea behind it is this:  The visitor to your site (really the user’s browser) assumes they don’t know you from Adam and doesn’t trust you. Which is a pretty good thing to do in the Internet. But they do have a list of people they do trust, these are certificate authorities that have been audited and manually added to your web browser. These trusted authorities can lend you some of their trust by signing your untrustworthy certificate. In effect they are saying that because they trust you it’s ok for others to. This signing process is the part that will cost you money. It’s possible to generate and even sign a certificate yourself but because no one trusts you, your visitors will get warnings when you try to make them use your certificate. Without this signing process it would make compromising the secure connection significantly easier because the client would have no way of verifying that the person they are talking to was who they are saying they are.

So in short the SSL certificate gives you the ability to make sure a connection remains hidden from prying eyes and provides a means of verifying that you are communicating with the person they say they are.

When looking at purchasing SSL certificates you may see quite a range of prices. The pricing differences are based on:

  • The amount of verification that goes on, i.e how much you are trusted. The cheapest certificates are usually just verified by you answering an email. Certificates with higher levels of verification are often indicated in browsers by a green bar being shown or something similar these are usually refereed to as “Extended 
    Validation (EV)” certificates.
  • Certificates usually just secure one hostname. Wildcard certificates can secure a number of hosts on a domain. Even though these are more expensive. They may work out better value if you have a lot of hosts to secure.
  • Another factor affecting the cost is how many entities actually trust the person signing your certificate. There’s no point getting someone to sign your certificate if no browser will trust them. The certificate authority you are considering will usually have a list who trusts them out of the box.
  • Certificates are usually valid for a year, after which you will need to renew them, similar to renewing a domain name. Purchasing multi year certificates will be more expensive but perhaps better value.

This has been a fairly high level explanation of how the SSL certificate fits into securing the communicate on your site. As you can probably see there’s quite a bit to it and getting it wrong can  expose your site to attack, scaring your customers away and ultimately losing business. If you’re unsure about how to go about getting an SSL certificate ask your web developer or ISP or us. Have you made your facebook page https capable? We’ll try and get a guide up ASAP of how to go about getting your certificate up and running.

Posted in: ,