A quick guide on the decisions that should guide your SSL buying process
It’s officially 2017 and that means that the browser community is now mandating that all websites have SSL.
That’s right, whereas having encryption was once a suggestion, now it’s a requirement. Any website that doesn’t have SSL installed and configured properly will be penalized in 2017. First with negative visual indicators and eventually with browser warnings.
That means it’s time to do some SSL shopping.
So what factors do you need to consider when choosing the right SSL Certificate for you and your website? We’re going to break it down for you right here.
What Kind of Website Are You Running?
The very first question you need to ask yourself is what kind of website you’re encrypting. If you’re just running a blog or a personal website – a domain that doesn’t collect personal information from users – then you really don’t need to spring for a higher value certificate. You just need basic Domain Validation SSL.
Domain Validation or DV is going to be the right type of SSL for a lot of websites. It offers industry-standard encryption and can be issued within minutes of ordering it—all you have to do is prove ownership over the domain.
However, if you’re running a website for a company or organization, or your website does collect personal information you’re going to want to select an SSL Certificate that also offers business authentication. There are two validation levels that offer this, Organization Validation (OV) and Extended Validation (EV).
Business Authentication is important because it offers consumers assurance about your identity. The internet brings it with it the potential for a lot of fraudulent activity. For any company or organization operating on the internet it’s important to be able to verify your identity to your visitors. With Business Authentication-level SSL, the issuing Certificate Authority vets your company or organization and then displays its legally registered business details when visitors click the padlock icon or your site seal.
Again, if you’re running a personal website or a blog, you’ll probably be fine with DV. But if you’re running a website that people need to trust – either to share personal information or carry out a financial transaction – you’re going to need the identity verification that comes with business authentication.
I Need Business Authentication, Should I Choose OV or EV?
While both OV and EV SSL offer business authentication, they were not created equally. OV SSL requires a company to undergo light business vetting and in return, verified details are included in the certificate information.
The problem is a consumer can only see those details if they know how and where to look for them. Unfortunately, OV shares the same visual indicators as DV, which means at first glance you can’t tell them apart. And while discerning internet users know to click the padlock icon, many others do not. So while you may have paid for business authentication, many of your customers won’t be able to tell you even have it.
But, whereas OV is subtler with how it displays your company or organization’s business details, EV slaps users right in the face with them. Unlike OV and DV, EV has a unique visual indicator that shows up in the address bar—your organization’s name and country of origin are written in green font beside the URL.
This “green address bar” is an unmistakable visual indicator of SSL. It accomplishes everything it wants to in a single glance. It tells visitors that their connection with your site is secure while also verifying your company identity. The green address bar cannot be faked. It can’t be tampered with. It is undisputable proof of security and identity.
The one drawback to EV SSL is that it can be cost prohibitive. While some may mention the issuance time, that can be worked around—we’ve gotten EV SSL issued in as little as 20 minutes. But the cost can be a barrier for some businesses. We will say this though, based on industry research EV has been proven to help boost conversions when implemented properly. That makes it more of an investment than an expense, because at some point – depending on how much it helps your sales – it will pay itself off.
What Are My Needs (Multiple Domains? Sub-Domains?)
Once you’ve made a determination about your validation level, you’ll need to turn your attention to your online portfolio and what your encryption needs actually are. Do you have multiple domains? Do you have a domain with several sub-domains? There are different kinds of certificates for different kinds of needs.
- Wildcard – The Wildcard SSL Certificate allows you to encrypt a domain and all of its accompanying sub-domains—as many sub-domains as you have. During the generation process, you use an asterisk in the place of a first-level sub-domain (i.e. *.rapidsslonline.com) and when the certificate is issued, it can be installed across your main domain and all of its existing sub-domains. Best of all, if you grow and add a sub-domain during the lifespan of your certificate, simply re-issue it and it will cover the new sub-domain as well. The only drawback to the Wildcard is it’s not available in EV. If you want a Business Authenticated Wildcard you have to go with OV.
- Multi-Domain – A Multi-Domain SSL Certificate does exactly what the name implies: it secures multiple domains on a single certificate. This is great for companies or organizations with large web presences because it can simplify their financial and administrative burdens considerably. During the generation process, you simply enter the FQDNs of the sites you want covered into the SAN fields and when the certificate is issued it will cover all registered domains. You do have to pay per the SAN though. Most Multi-Domain Certificates come with 2-4 included, then you pay per each additional one.
- Multi-Domain Wildcard – There exists no more versatile SSL Certificate than the Multi-Domain Wildcard, which allows you to encrypt up to 100 (depending on the CA) different domains and an unlimited number of sub-domains. Multi-Domain Wildcards make use of the Wildcard SAN field during the generation process. This means you can enter an FQDN and use the field like a SAN, or use an asterisk and make use of the certificate’s wildcard functionality. For enterprise-level corporations, Multi-Domain Wildcards are an especially cost-effective choice.
Which CA Should I Choose?
And here’s the final question you need to answer for yourself: what Certificate Authority should I go with? You’ve already decided on validation level and functionality. So who should you get to issue this thing?
The answer depends on you.
Each CA has its strengths and its weaknesses. For instance, if cost is a consideration there are plenty of low-cost CAs to consider. The problem is you’re sacrificing in terms of brand recognition and perception. For instance, maybe you go with a newer CA that many people have never heard of. You probably saved some money, but if your brand hasn’t really caught on yet and their brand really hasn’t caught on yet, you’re not going to win any trust on the basis of your reputations.
On the flipside, if you’re a relatively unknown brand (which, given the size of the internet is a lot of companies), but your visitors see Symantec’s Norton Secured Seal – the most reputable trust seal online – then they’re going to give you a much greater benefit of the doubt when it comes to their safety on your site.
Symantec is the top brand in the world. Its trust seal has been proven to boost conversions when used properly. The company’s reputation precedes itself. And you’re going to pay more to align yourself with Symantec because of it. The benefit is how such a brand alignment helps your company’s reputation. The cost is literally the cost—Symantec isn’t cheap.
The key is to ask yourself what’s important to your company? Would you build more confidence in your brand by springing for a Symantec EV SSL Certificate – knowing it will carry benefits with it down the line – or would you be better going with a more economical OV Certificate from a CA like GeoTrust?
Only you know the answer to these questions—we’re just making sure you ask the right ones.