What is SSL/TLS and the "trusted internet"?
The modern “trusted Internet” is synonymous with two ubiquitous technologies: Secure Sockets Layer (SSL) and Transport Layer Security (TLS). This article deals with both. When accentuating their similarities, they’ll be dealt with together; at times, however, we’ll differentiate between the two. Regardless of which technology we’re discussing, cryptographic keys allow for encrypted private conversations between remote parties while digital certificates ensure that servers truly belong to the entities for which they represent online. These components comprise the Public Key Infrastructure (PKI) that makes secure conversations and transactions possible on the inherently insecure public Internet.
What indicators come to mind when you think of the “trusted Internet?” Is it the padlock icon? Or is it perhaps the “https://” designation in the browser address bar? Have you ever really looked at a digital certificate and verified that it is issued by a recognizable certificate authority (CA)? SSL encompasses all these elements and more.
What is the history of SSL and X.509 Certificates?
SSL became an Internet standard in 1994, with TLS being added soon thereafter. Both are constructed around a similar architecture using X.509 certificates. Although there are some differences between SSL and TLS, this document generally refers to the protocol as SSL/TLS, since the two share a common architecture. SSL/TLS is most often represented as HTTPS, but the protocol can be used to secure any TCP-based application. SSL/TLS is also popular for encrypting traffic between email clients and POP or IMAP servers, setting up secure tunnels between IDS sensors and management consoles, and supporting VPNs as a lower-cost alternative to IPSec.
SSL 3.0 debuted in 1996 and quickly became the Internet’s primary security mechanism. TLS is the successor protocol to SSL, allowing clients and servers to specify accepted hash and signature algorithms and support additional cipher suites. TLS 1.3 rolled out in 2018 and included several security and performance improvements. It also removed obsolete and insecure features from the 2008 TLS 1.2.
As of August 2019, best security practices by the National Institute of Standards (NIST) requires all government TLS servers and clients support TLS 1.2 (configured with FIPS-based cipher suites) and recommends agencies develop plans to support TLS 1.3, if they are not doing so already.
With cybersecurity at the forefront in this digital age, more internet users are wondering, “What does SSL mean?” and “How secure are the sites I use?” It benefits every website owner to know the answers and to take the necessary steps to establish trust with visitors to their site. And now we’ve covered what SSL means, but what is an SSL certificate? Read on.
What is an SSL Certificate?
SSL/TLS certificates play a critical role in secure and encrypted communications between a client and a server. First, the server’s certificate, containing its public key, is used by the client to determine whether the client should accept a trust relationship with the server. If the client accepts or validates the authenticity of the server, then the server certificate is used to establish a secure, encrypted channel for the ensuing session. These protocols are not new.
What does SSL Stand For?
Many of us are familiar with the term SSL, even if we don't specialize in cybersecurity—perhaps noticing it briefly in our browser settings. But what exactly is SSL? SSL stands for Secure Sockets Layer, while TLS refers to Transport Layer Security. Both are critical online security protocols designed to safeguard data transmitted over the internet.
What does an SSL Certificate do?
An SSL certificate fulfills many roles: it encrypts sensitive data, verifies authenticity, and enhances trust. Its main function is to secure sensitive information transmitted over the internet, ensuring that only the intended recipient can access it. This encryption helps protect against hackers and identity thieves. Obtaining an SSL certificate from a reputable provider guarantees authentication, confirming that the information sent reaches the correct server and not an impostor. SSL also bolsters customer confidence by securing connections.
For websites that handle credit card transactions, adhering to Payment Card Industry (PCI) standards is mandatory, and having an SSL certificate is required for compliance with these standards.
How SSL Certificates Work:
An SSL certificate contains information necessary for securing online communications, including:
- The domain name for which the certificate is issued.
- The individual, organization, or device to which it is issued.
- The Certificate Authority (CA) that issued the certificate.
- The digital signature of the Certificate Authority.
- Any associated subdomains.
- The issue date and expiration date of the certificate.
- The public key (while the corresponding private key is kept confidential).
- The public and private keys are lengthy sequences of characters that encrypt and sign data. Data encrypted with a public key can only be decrypted with its corresponding private key.
SSL certificates are stored on a website’s origin server and are transmitted to any device that connects to the site. In most web browsers, such as Chrome, users can view the SSL certificate by clicking on the padlock icon located on the left side of the URL bar.
Why do we need SSL Certificates?
SSL/TLS is the foundation for a secure internet. It protects information and is essential for protecting your website, even if the site doesn’t handle sensitive information like credit cards, names and addresses, or passwords. It is also used to secure email and sharing of files. An SSL certificate provides privacy, data integrity, and critical security.
Encryption: The encryption used in SSL/TLS is enabled by the pairing of public and private keys, which SSL certificates provide. When clients, such as web browsers, initiate a TLS connection, they retrieve the public key from the server's SSL certificate.
Authentication: SSL certificates are crucial for verifying that a client is communicating with the legitimate server that truly owns the domain. This is key in preventing domain spoofing and similar attacks.
HTTPS: For businesses, the use of an SSL certificate is essential for enabling an HTTPS web address, which represents the secure version of HTTP. Websites with HTTPS encrypt their traffic through SSL/TLS, enhancing security.
In addition to securing data during transit, HTTPS also boosts a site's credibility to users. While many users may not distinguish between 'http://' and 'https://', most browsers now label HTTP sites as "not secure," providing a clear visual cue that encourages the transition to HTTPS for increased security.
If your site asks for any personal information, an SSL certificate is necessary. In addition, search engines are taking note of perceived security lapses in websites, and they now issue warnings against any site not considered secure. Google uses SSL as a ranking factor, so without an SSL certificate, your site will be harder to find.
How much does an SSL Certificate cost?
The price of an SSL certificate runs from cheap (some are even free) to very expensive. The adage, “You get what you pay for,” applies. Your SSL choice depends on the type of website and your company. A large financial institution will pay thousands of dollars a year for their SSL certificate, but a blog or online portfolio will not require the same kind of security, so a less expensive certificate will probably suffice.
How do you get an SSL Certificate?
When selecting an SSL certificate, it's crucial to choose a reliable certificate from a reputable Certificate Authority (CA)—the entity that issues the certificate and associated keys. An incorrect or poorly installed certificate can be as ineffective as not having one. Luckily, the procedure is straightforward:
- Select a Certificate Authority.
- Purchase and verify your SSL certificate.
- Download the SSL certificate files.
- Install the SSL certificate on your server.
- Validate the SSL certificate to ensure it's functioning properly.
What is a Self Signed SSL Certificate?
A self-signed SSL certificate is one that any individual can create by generating a public-private key pair and including all the essential information typically found in SSL certificates. These certificates are termed "self-signed" because they are authenticated using the website owner's private key rather than a Certificate Authority (CA).
However, the major drawback of self-signed certificates is the absence of a third-party authority to confirm the authenticity of the origin server. Consequently, browsers do not regard these certificates as trustworthy. Websites using self-signed certificates may still be flagged as "not secure" even if they use an https:// URL. Browsers might also choose to block the connection entirely, preventing the website from loading.
How do I install an SSL Certificate?
The method for installing an SSL certificate varies based on the provider from which it was purchased. While some providers may simplify the installation process or handle it entirely on your behalf, manual installation might be necessary for others. The steps for manual installation depend on your platform and operating system. This article contains instructions and tutorials for manual installation of an SSL certificate.
SSL Nomenclature
The proper use of cryptographic keys and digital certificates by the communicating parties underpins SSL security. Before a client and server can exchange information protected by SSL, they must securely exchange or agree on an encryption key and a cipher to use when encrypting data. Public key certificates used during the exchange/ agreement can vary in the size of the public/private encryption keys used, thus determining the robustness of the security provided throughout the session.
A cipher is a mathematical algorithm used to transpose human-readable plaintext into unreadable ciphertext. Countless ciphers have been developed throughout history, primarily for military applications, with many variants currently in use across the Internet today. Many ciphers previously thought to be secure were later exposed as insecure, further fueling the cryptographic arms race.
Certificate Trust and Validity
SSL enables a wide array of beneficial applications that make the Internet the most valuable communication medium the world has ever known:
- Email—nearly all major providers now use SSL (e.g., Gmail, Yahoo)
- Social media (e.g., Facebook, Twitter, LinkedIn)
- Ecommerce (e.g., Amazon, EBay)
- Online banking, financial services
- Medical records, tax records
- Sensitive information transiting the Internet
- Software validation (digital signatures authenticate publishers of applications)
Perhaps most important of all, SSL is instrumental in gaining acceptance. Nearly everything worth doing on the Internet besides casual news and entertainment browsing is now being secured using SSL. This is precisely why it is so important that SSL be properly understood, deployed, and maintained by enterprise security professionals.
What Is SSL Certificate renewal?
When you hear the word renewal, you may well think of your driver’s license, or maybe someone’s wedding vows. But of course, we’re talking about cybersecurity. What is SSL certificate renewal? SSL certificates are hardcoded with expiration dates (a maximum of two years), so you must renew your SSL certificate before it expires. This provides greater protection and ensures your SSL encryption is up to date with the latest TLS versions and ciphers.
How to Renew Your SSL Certificate in Four Simple Steps:
- Generate a CSR: Start by creating a new certificate signing request (CSR) from your Certificate Authority's (CA) hosting control panel. You will need to enter contact information to verify domain ownership. After filling out all the required fields, your host will provide you with a CSR code, which is necessary for reactivating your certificate in the subsequent step.
- Activate SSL Certificate: Submit the CSR obtained from the first step along with any additional requested information. Allow some time for the CA to process your request and verify your identity. This process will typically take as long as it does for a new certificate's CSR, provided there are no changes to the domain owner, organization name, or other submitted details.
- Complete Domain Control Validation (DCV): Before your new certificate becomes active, you must validate it. DCV confirms your identity and verifies that you own the domain for which the certificate is requested.
- Install SSL Certificate: Once approved, the contact for the certificate will receive the new SSL certificate from the CA in .crt format. Install and set up your new SSL certificate before decommissioning the old one. If you are obtaining a new certificate through your hosting provider, it should automatically be added to your site. If not, you may need to consult your server’s documentation for instructions on how to upload and implement your SSL certificate on your server.
When is the best time to apply for a certificate renewal?
Certificate renewal is the process by which a user purchases a new certificate for the same public key used in an expiring certificate. While certificates used to be valid for up to three years, as of September 2020 all SSL certificates will have a maximum lifespan of 13 months. While many experts have expressed concern over this change, shorter certificate validity periods are actually a good thing for security.
The best time to apply for an SSL certificate renewal is within the last quarter of the current certificates’ lifecycle so there is plenty of time for the renewal to be processed. This will ensure there is no downtime between validity, avoiding a potentially costly outage and maintaining user trust of your website’s reliability.
What is an SSL certificate reissue?
A certificate reissue (sometimes referred to as re-keying) is when a user generates a new private key and CSR for an existing certificate. As explained by DNSimple, users might need to proceed with the reissuing process if they lose or delete their private key, if they want to change any of their certificate information, or if they want to change the certificate's encryption level. Upon completion, the reissuing process produces a new digital certificate.
SSL certificate renewal vs SSL certificate revocation
When you renew a certificate, you do not need to revoke the old certificate. The old certificate will simply expire and then it will no longer be valid. Certificate revocation is not necessary during certificate renewals because the new SSL certificate maintains all the same characteristics as the one that it replaces, including the private key.
You should only revoke a certificate if you suspect its private key has been compromised. Certificate revocation will immediately invalidate an SSL certificate prior to its scheduled expiration and render it unusable. Generally, you would only revoke a certificate when its private key becomes unsafe, such as when a user shares the key on a public website or if hackers steal the key from a company's servers. But you may also wish to revoke a certificate when the domain for where it is being used is no longer operational.
Revoking the certificate for such instances cancels the certificate, thereby removing the HTTPS connection from the owner's domain. At this point the owner will have to reissue an SSL certificate to replace the revoked one.
Organizations should maintain accurate and up-to-date certificate revocation lists, a list of all digital certificates that have been revoked by the issuing CA and should no longer be trusted.
What are the benefits of SSL?
The SSL definition comes down to its name—Secure Sockets Layer—and as the term suggests, it provides a layer of security. There are five key benefits to SSL:
- It protects data
- It affirms your identity
- It gives you better search engine ranking
- It is a requirement for PCI/DSS (Payment Card Industry Data Security Standard) compliance
- It improves customer trust
Does google rank SSL websites higher?
SSL does impact search rankings. In order to offer more protection to internet users, in 2014 Google changed its algorithm so that HTTPS was a ranking signal, which gave the upper hand to HTTPS-enabled websites. And in July of 2018, Google Chrome began marking all sites that do not have an SSL certificate as “not secure.”
What does SSL protect against?
SSL/TLS encrypts data sent across the internet, which protects against hacking and identity theft from third parties intercepting or “eavesdropping” on your site’s activities.
Can SSL Certificates be hacked?
Cybersecurity is always improving and advancing. Unfortunately, so are the methods of those trying to breach that security. SSL is just one part of a site’s overall security. It’s important to stay current with SSL certificates to protect against hackers who take advantage of outdated encryption or ciphers. Protecting the private key to your certificate is also vital. Another tactic, while not technically hacking an existing certificate, is when fraudulent certificates are issued by hackers to add the appearance of legitimacy to fake websites.
How does SSL prevent Man-in-the-Middle Attacks?
In cybersecurity, a man-in-the-middle attack refers to when communication between two parties online is compromised by a third party. Attackers can eavesdrop to capture information from the exchange, or they can actively modify or tamper with the information. SSL/TLS protects against these attacks by encrypting all data with a private key given to the original SSL certificate holder. Attackers cannot read or tamper with the encrypted data without the private key.
How does SSL protect data?
SSL certificates protect data by using a key pair: a public key and a private key. Together, these keys handle encryption and decryption. An SSL also contains the identity of the certificate/website owner. While a hacker may see the public key, the private key is known only to the original certificate holder and their server. Therefore, unauthorized parties cannot decrypt the data.
What is the difference between SSL and TLS?
TLS (Transport Layer Security) is an updated, more secure version of SSL. The term SSL is still commonly used, but at this time it usually refers to TLS protocol and certificates.
Does TLS require a certificate?
In 1999, TLS replaced the older SSL protocol as the preferred security mechanism. Now, it is recommended that any websites with the outdated SSL protocol disable it and enable TLS only. TLS 1.3 was released in 2018.
Like SSL, a certificate is used with TLS. However, it is important to understand that certificates are not the same as protocols. So you don’t need to choose between a TLS certificate or an SSL certificate. It may be more accurate to say these are “certificates for use with SSL and TLS,” since the protocols are determined by the server configuration, not the certificates themselves.
With increasing cybersecurity threats—not to mention search engines giving preferential treatment to sites perceived as more secure—any website owner should seriously consider adding SSL/TLS to their site. In addition to SSL encryption that secures data, an SSL certificate instills trust, affirms identity, performs better in search rankings, and is a requirement for PCI/DSS compliance to process payment online. It is an important step in enhancing online security and ensuring a safer internet experience for your customers.
Quite frankly, there is no realistic scenario in which your business website—no matter what service or product or idea you peddle—can reasonably expect to function without SSL/TLS today. It really is that crucial.
Data Sheet: Venafi TLS Protect
Secure Your SSL Certificates with Venafi TLS Protect
Ensuring the security of your online presence goes beyond implementation—it requires proactive measures to maintain trust and safeguard sensitive data. That's where Venafi TLS Protect comes in. Venafi offers comprehensive solutions to manage SSL/TLS certificates effectively, ensuring that your website remains secure and compliant.
With Venafi TLS Protect, you gain:
- Streamlined Certificate Management: Simplify the process of obtaining, renewing, and installing SSL/TLS certificates, reducing the risk of misconfiguration or expiration.
- Enhanced Security: Protect against potential vulnerabilities and stay ahead of evolving cybersecurity threats by ensuring the integrity and validity of your SSL/TLS certificates.
- Compliance Assurance: Meet industry standards like PCI/DSS with confidence, knowing that your SSL/TLS certificates are managed in accordance with regulatory requirements.
- Increased Customer Trust: Demonstrate your commitment to security and privacy, instilling trust in your customers and enhancing your reputation in an increasingly competitive digital landscape.
Don't leave your website's security to chance. Invest in Venafi TLS Protect today and take proactive steps to safeguard your online presence. With Venafi, you can ensure a safer and more secure Internet experience for yourself and your customers.