Pagoda Blog

Your website is an online space where you have the opportunity to engage with customers and leads, sharing information and gaining valuable business. If your website is not secured by HTTPS, backed by a SSL/TLS certificate, you’re putting your customers and your business at greater risk of a data breach. 

 

It’s critical to ensure that everyone who visits your website is protected by a secure, encrypted connection. HTTPS signifies to users that your website is legitimate and trustworthy and gives them the confidence to browse and interact with your website. 

 

So we know that having a website secured by HTTPS is important but what does it mean to have it protected by a SSL/TLS certificate? Does every website have one and what does it do? Let’s dive in. 

 

What is a SSL/TLS certificate and how does it work? 

 

HTTPS requires either a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) certificate. SSL and TLS are security protocols that create an encrypted connection between your browser and server or website. SSL is simply an older, outdated version of TLS but the acronyms are still often used interchangeably or combined as SSL/TLS. You will most often hear the certificate referred to as an SSL certificate even though this is inaccurate as SSL is no longer safe to use. We will be using SSL/TLS throughout the post since both terms are still used. 

 

So how exactly does a SSL/TLS certificate work? 

 

First, when you visit a website protected with HTTPS, the page sends the TLS certificate with the website’s public key required to secure the session. Your web browser and server then enter into a “TLS handshake” — a communication that ensures a safe connection. The SSL/TLS certificate includes information such as the aforementioned public key, the domain name it’s issued for, and the digital signature of the certificate authority who issued the certificate. The certificate is intended to validate the server’s identity, protecting the site and its users from bad actors who may try and impersonate a website with malicious intent.   

 

Different types of SSL/TLS Certificates

There is more than one type of SSL/TLS certificate. The type you choose depends on the size of your website and how many domains you need to secure. 

 

Single Domain SSL/TLS Certificate

A single domain certificate is for one website domain and all pages under this domain are secured by the same certificate. 

 

Wildcard SSL/TLS Certificate

A Wildcard SSL/TLS Certificate is for one website domain and all associated subdomains. A subdomain usually starts with something other than www but will still include the primary or umbrella domain name. For example, blog.[domain name].com.

 

Multi-Domain SSL/TLS Certificate

A Multi-Domain certificate covers multiple separate domains (not subdomains) under one certificate. This type of certificate may be offered for free by a company, such as Cloudflare, who is trying to encourage website owners to use HTTPS encryption.   

 

The 3 validation levels of SSL/TLS Certificates

There are three types of SSL/TLS certificate validation levels and each meets different requirements. Your validation level will depend on the size of your website and the type of data you collect, store, and/or share.

 

1) Domain Validation (DV) 

Domain Validation is a free SSL/TLS certificate that only requires the website owner to prove that they have the right to use that domain. This certificate is the easiest to obtain and also the least secure. It is not recommended for websites that handle sensitive data. It’s best for small, single-focused sites like blogs or online resumes.

 

2) Organization Validation (OV) 

In order to obtain an Organization Validation, a Certificate Authority does a more thorough, manual scan of the website to ensure its legitimacy. They will also often reach out for a copy of the website’s SSL/TLS certificate. An OV is more secure and recommended for websites handling user data. 

 

3) Extended Validation (EV) 

Extended Validation is the most robust SSL/TLS certificate and requires websites to undergo a full background check. The background check will confirm that the company actually exists and is legally registered as a business at the provided address. It is for large, high-traffic sites such as e-commerce sites and government organizations.   

Does your website have a SSL/TLS certificate? 

Any website, regardless of what type of information it handles, should use HTTPS to mitigate the risk of a cyberattack, protect customer data, and improve SEO. In fact, Google’s Chrome browser attempts to load all websites over HTTPS in order to ensure a secure, encrypted connection. If the site does not support HTTPS the Chrome browser displays a warning.  This shows just how much Google values HTTPS which means your website should obtain its own SSL/TLS certificate to ensure a good ranking on Google.  

 

If your website is already running on HTTPS, most browsers will show a small padlock icon to the left of the domain name in the browser bar. Simply click on the icon to view the website’s certificate. 

 

In Chrome, you will see a small “site information” icon (see screenshots below). When you click on this icon, you’ll see the words “Connection is secure” to verify the site is using HTTPS. To view the type of certificate, click the little carrot (>) next to the “Connection is secure” text. Look for text stating “Certificate is valid” and then click the arrow for more information, such as the type of certificate, date issued on, expiration date, and the public key.    

 

 

 

 

 

 

 

If your website does not have a SSL/TLS certificate, there are a number of ways to obtain one. Conducting a quick online search for ‘how to obtain a SSL/TLS certificate’ can quickly become an overwhelming rabbit hole. HubSpot, fortunately, has a very helpful blog post that outlines the steps to obtain a certificate and also includes a list of the top ten free and low-cost SSL certificate authorities. 

 

Still need help ensuring your website is secured by HTTPS and is using the right kind of SSL/TLS certificate for your business needs? Get in touch for a free IT consultation so we can determine how best to support your SMB. 

 

Feature photo by Nicole Wolf on Unsplash

 

Want to get more posts like these in your inbox? Sign up for the Pagoda newsletter and we’ll send you the occasional email with content that will sharpen your technical skills, from cybersecurity to digital marketing. 

 

Did you know we also have a weekly LinkedIn newsletter? Make sure to subscribe for weekly actionable IT advice and tech tips to set your business up for success.

 

-------------------

 

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.