So, a while back I\u2019m sitting at my desk and I get an email from this fellow on our Search Engine Optimization team. Sometimes the SEO team sends me suggestions on what to write. This particular piece of electronic mail suggested I work on \u201cThe Mega Guide on SSL Certificates for Best Encryption Knowledge.<\/strong>\u201d<\/p>\n <\/p>\n \u2018Now, fellas,\u2019 I said, \u2018that sounds like kind of a mouthful, why not call it \u201cEverything you need to know about SSL?\u201d Or \u201cEncryption for Dummies?\u201d Something a little more natural.\u2019<\/p>\n But they were very insistent, it must be called \u201cThe Mega Guide on SSL Certificates for Best Encryption Knowledge.\u201d So, I guess that\u2019s what we\u2019ll go with. Look, I really don\u2019t understand Search Engine Optimization (or SEO as these kids call it). I\u2019m not even 100% sure that\u2019s what it stands for. I asked a couple of the guys on the SEO team about it once and the answer was long and very involved and they started talking about Penguins and Pandas. It got weird, fast.<\/p>\n And frankly, I\u2019m OK with not knowing. I feel like SEO is a wormhole you dive down\u2014one that starts with landing pages and brand authority, and before you know it Alvin and the Chipmunks\u2019 Witch Doctor is playing on loop while long-tail keywords swirl around your head in various non-supported fonts and you can\u2019t tell if you\u2019re having some sort of organic search fever dream or if you\u2019ve accidentally ingested LSD while the TV was tuned to Alice in Wonderland, again.<\/p>\n Ahem, or so I\u2019ve heard.<\/p>\n Anyway, you\u2019re here to read The Mega Guide on SSL Certificates for Best Encryption Knowledge<\/strong>, so let\u2019s get started\u2026<\/p>\n SSL stands for \u201cSecure Sockets Layer.\u201d The original version was developed by Netscape back in 1995, shortly after Al Gore finished arranging the series of tubes that would later be dubbed the \u201cinternet.\u201d The original version, 1.0, was never even publicly released because it was riddled with security vulnerabilities. Also, syphilis. Little known fact. But mostly Security Vulnerabilities.<\/p>\n In fact, Security Vulnerabilities was a hereditary issue that also ultimately ended the life of SSL 2.0 and SSL 3.0, too. It\u2019s the hardest a single family has been hit by a tech bug since the entire Johnny 5 line was disassembled by digital dysentery back in the late 1980\u2019s.<\/p>\n Anyway, SSL was replaced by TLS or Transport Layer Security, which is technically different, but doesn\u2019t suffer from the same health problems and is still colloquially known as SSL. Confused? Don\u2019t be. It\u2019s kind of like what happened to Steve Perry and the band Journey. The band replaced him with a younger, healthier version that can do all the same things and they\u2019re still known as Journey, even though they technically aren\u2019t anymore.<\/p>\n Anyway, TLS 1.3 is just being released, today most security implementations use TLS 1.1 or 1.2. And that\u2019s a brief history of SSL. Now let\u2019s address a few other questions:<\/p>\n And then we\u2019ll finish by talking a little bit about brands. Well, I say we \u2013 I\u2019ll finish \u2013 you may not be reading by then. Who knows. The night is young.<\/p>\n An SSL certificate is a digital certificate that allows for the validation of a web server and the encryption of all communication between that server and its visitors. Or, put another way, an SSL certificate is what facilitates encrypted connections.<\/p>\n Think of it like a driver\u2019s license. When you get one, the Certificate Authority that\u2019s issuing the certificate \u2013 which stands in for the DMV in this metaphor \u2013 verifies the identity of the applicant before issuing a document that gives the holder specific privileges. That means driving in the case of a driver\u2019s license or using Public Key Infrastructure to encrypt communication in the case of an SSL Certificate. Fortunately, validation doesn\u2019t require sitting in a stuffy waiting room next to the dregs of society for two hours while a disinterested clerk uses a 90\u2019s era computer to inch through the line. You pull a number, it says D6, they\u2019re on A15\u2014what the hell does that even mean? [Editor\u2019s Note: That\u2019s really specific, Carl]<\/p>\n An SSL certificate serves two basic functions, though only one of them really gets any attention. The first, and most celebrated function is encryption. An SSL certificate will let you encrypt all communication to and from your website.<\/strong> But depending on the type of validation you choose, an SSL certificate can also authenticate your identity.<\/p>\n We\u2019ll get into that a little more in-depth when we talk about certificate types later, but for now, just remember that an SSL certificate is a kind of like a digital driver\u2019s license. It identifies its owner and grants certain permissions.<\/p>\n Now let\u2019s define a few key terms. You\u2019ll need to know these before we go any further.<\/p>\n That should pretty much cover it. Let\u2019s move on\u2026<\/p>\n There are two ways I could explain this, one is exceptionally technical and would require a lot of research on my part. The other is to explain it in layman\u2019s terms and try not to alienate my readers. I\u2019m going to go with the second route. It\u2019s not that I don\u2019t want to do a bunch of research, actually, yes it is. That\u2019s exactly why. I\u2019m not going to lie to you.<\/p>\n Ok, so when a client\u2019s browser reaches a website\u2019s server and notices it has SSL, it begins a process called \u201cThe SSL Handshake<\/strong>.\u201d This is where the client and the server decide on the means of encryption they will use (which algorithms and ciphers – basically the directions for encrypting), authenticate the server and then exchange symmetric session keys.<\/p>\n Once the session keys are exchanged the two begin encoding communication in a way that only the other party can read it. This prevents eavesdropping from third parties, content injection and a litany of other potential issues.<\/p>\n Now, a quick word on keys. There are two kinds of encryption at play during encryption. The first is asymmetric encryption that occurs between the private key and the public key. For an in-depth explanation of asymmetric encryption, click here<\/a>.<\/p>\n The other kind of encryption, symmetric encryption, occurs between the session keys. Whereas with asymmetric encryption the public key encrypts and the private key decrypts, symmetric encryption allows both keys to encrypt and decrypt<\/a>. This is necessary for two-sided communication.<\/p>\n A session key, as the name suggests, is good for one session. After which the keys are discarded and new keys are exchanged upon the next visit. An asymmetric private key is usually 2048-bit. Session keys, which need to be faster, are 256-bit. Don\u2019t worry about the drop in size though, it would take a supercomputer 10,000 years to break 256-bit encryption.<\/p>\n Hackers. Let\u2019s move on\u2026 [Editor\u2019s Note: Maybe a little more, Carl]<\/p>\n Ok, ok. There are some very specific threats that exist on websites without encryption. Specifically eavesdropping. Eavesdropping can occur anytime there is an unencrypted connection between a client and a server. It basically means a third party can \u201clisten in\u201d and see every last piece of data being transferred between the two parties. This includes sensitive information like names, addresses, credit card numbers, social security numbers, etc. It\u2019s kind of like having a Peeping Tom, only instead of a stranger in your bushes, he (or she\u2014it could be a she, it\u2019s 2017, get over it) is spying on your financial data. It\u2019s like a Peeping Tom who gratifies himself to your wife doing your taxes. [Editor\u2019s Note: WTF, Carl].<\/p>\n Obviously, this is a problem, especially for websites that collect personal information. This is the biggest reason for encryption. Websites need to protect the information being transmitted to and from their visitors\u2014especially e-commerce sites, banks, medical organizations and a range of other industries.<\/p>\n Beyond stealing sensitive information, eavesdroppers can also manipulate information. Meaning they can impersonate the client or the server and cause chaos. This is called a man-in-the-middle attack. Your client thinks it\u2019s connected to the server, your server thinks it\u2019s connected to the client, but there\u2019s an intermediary there. The client sends info to the attacker, who then sends it to the server. Obviously, you can see how this can create problems. SSL solves those problems by preventing MITM attacks and eavesdropping.<\/p>\n It also prevents content injection. This is typically done by ISPs when they\u2019re injecting unwanted ads into websites, but it can also be done by malicious third parties, which is way more dangerous. Really anytime you use the term \u201cinjecting something\u201d around me it makes my stomach turn.<\/p>\n For the sake of ease, we\u2019re going to divide SSL types<\/a><\/strong> into two categories:<\/p>\n There are three validation levels and four functionalities. Let\u2019s start with validation types. Validation type refers to how much the Certificate Authority is going to vet your company or organization.<\/p>\n Next, let’s look at the different functionalities.<\/p>\nThe Mega Guide on SSL Certificates for Best Encryption Knowledge<\/h3>\n
\n
What is an SSL Certificate?<\/h3>\n
\n
How Does an SSL Certificate Work?<\/h3>\n
Why Would You Use SSL?<\/h3>\n
What are the Types of SSL Certificate?<\/h3>\n
\n
\n
\n
Should I Get a Free SSL Certificate?<\/h3>\n