What is a SSL certificate?
A SSL-certificate is something every webshop, homepage and internet application that handles sensitive information should have, for their and their users/customers security.
If you are involved in e-commerce you have probably heard the term "SSL-certificate". An SSL-certificate is a way to ensure visitors to your webshop that is't a safe place to shop. SSL stands for Secure Socket Layer and is an encryption protocol that ensures that only the sender and recipient can read the information being exchanged. An SSL-certificate primarily performs two tasks.
- The primary function of an SSL-certificate is to encrypt information between two parties e.g. during an online transaction of download of personal information from a website. This ensures that others can't gain access to the information and exploit it. If anyone gets access to the information being sent between the website and the customer they will only see a meaningless jumble of seemingly random characters if they don't have the correct keys.
- An SSL-certificate also contains information about the visited site, e.g.. the name of the company that owns the site. This allows the customer to verify that the website belongs to the company they assume owns it.The identity of the site is therefor verified and ensures the customer doesn't enter sensitive information like credit card number, social security number or phone number on a fake page pretending to be from another company.
How does an SSL-certificate work?
Using an SSL-certificate is like using a recommended envelope for sending your private information through the mail. Imagine sending your credit card information and signature to a company on the back of a postcard, that is how information is normally transferred over the internet. By using an SSL-certificate you put the postcard into an envelope and send it recommended so only the recipient can see what you wrote.
An SSL-certificate uses a set of keys. Den første is a public key that is freely available, and a website will automatically show it's public key to all visitors. When a client sends data to the website it will use the public key to encrypt the data so it can only be read by the website. The other key is a private key, the website protects this key and no one else should have access to it. The private key is used by the website to decrypt data that has been encrypted with the public key. There are certificates with different sizes of keys, and thereby different levels of security.
In internet communication ports are used to specify where the information is to be sent to. The most used port is port 80 which is normally used for unencrypted communication to a webserver. When SSL-encryption is used on a website it's usually port 443 that is being used. It's possible to use other ports, but as a standard it's recommended to use port 443. A webserver can have both an unencrypted website on port 80 and an encrypted website on port 443 at the same time, both running on the same IP-address. An analogy would be the IP-address bring a phone number and the port being the local extension.
IT is important to note that an encrypted website needs it's own port and IP-address, though it has become possible to circumvent this through Server Name Indication (SNI). SNI is most often being used to have multiple independent websites on the same port to save money, however there is still clients that doesn't support SNI, which is why we recommend that each certificate has it's own IP/port.
Limitations of SSL-certificates
It's important to be aware of the limitations of SSL-certificates. While SSL-certificates gives a high level of security and protection there is almost always a way around. The company that issues the certificate, the level of security you pay for, the security of the server itself and the browser the customer use all have an influence on the security. Generally an SSL-certificate is a good idea because it does give some protection of identity and data, and some protection is better than none.
SSL-certificates can be issued by a Certificate Authority or be selfsigned. If you use a selfsigned certificate you will get the encryption between the website and the client, but you will get no protection of the identity and the browser will show a big warning that the website can be insecure. If you buy a certificate from a Certificate Authority it's important to choose a certificate that aligns with your need. There are a lot of Certificate Authorities, certificates and attributes to choose from, and the prises are just as varied.