SSL certificates can help protect your information from ending up in the wrong hands. Here are 9 things you need to know to help keep your personal info safe online.
1. What is an SSL certificate?
An SSL certificate encrypts information sent between your web browser (Google Chrome, Apple Safari, etc) and a web server (i.e. your favorite website). This allows you to submit your credit card information, usernames and passwords, and other sensitive information to websites securely.
2. What does S.S.L. stand for?
SSL stands for Secure Socket Layers.
3. How does an SSL Certificate work?
- Your web browser connects to a web server that is using an SSL certificate.
- The web server then sends its SSL certificate and the issuing certificate authority. A certificate authority, CA for short, is a trusted third party that has issued the certificate.
- Your browser then confirms the validity of the certificate with the certificate authority. By verifying that the certificate was indeed issued by the CA, your web browser can now trust that the web server and certificate are trusted and that it is safe to proceed.
- If the certificate is valid and if the certificate authority is trusted, then a key is exchanged between the browser and the web server. This key will be used to decrypt information sent between the two parties.
- Both the web browser and the web server can now securely exchange information.
4. How do I know when it's safe to make an online transaction?
Checking for the use of a valid SSL certificate is a good start.
- Beware of any browser warnings as those could be an indication of an expired, untrusted, or otherwise insecure SSL certificate.
- You'll want to look for "https://" rather than "http://" in the browser's URL.
- Modern browsers will also show a lock symbol showing that an SSL certificate is in use. Clicking on this lock will show information regarding the certificate, the issuing certificate authority, and the certificate's expiration.
Note: an SSL certificate protects information in transit from the web server to your browser and vice versa. However, your computer and/or the website itself may still be at risk. You'll also want to verify that your computer is free of malware and that the website you're visiting is reputable.
5. What about the Heartbleed vulnerability? Should I be worried?
The bad news:
The heartbleed vulnerability is an issue that affects specific versions of OpenSSL. OpenSSL is a technology that is used by the majority of websites on the internet to help protect online information. The issue is quite serious in that it allows an attacker to gain access to private encryption keys and eavesdrop on seemingly secure connections.
The good news:
The good news is that the heartbleed vulnerability is easy to resolve by simply updating OpenSSL. Many websites have already done so in order to protect their customers information.
If you're unsure, you can check to see if a website is still affected by the heartbleed vulnerability using either of the following websites:
Due to the widespread nature of the heartbleed vulnerability and the inability to detect if and when the vulnerability has been exploited, it's hard to say how many websites and users have been affected. If you're concerned about the possibility of your information having been accessed, you should update your passwords and implement 2-step authentication wherever possible.
6. I own a website. Do I need an SSL certificate?
It depends on the nature of your website. If your website offers static information without the ability for users to interact with, purchase from, or contribute to your site - then you may be okay without a certificate. However, if you process transactions through your website or store sensitive information (especially financial, medical, or personally identifying information) then you absolutely need an SSL certificate. Even if you have simple user accounts with little sensitive information, it's generally a good idea to have an SSL certificate in place to help protect your users.
7. How much does an SSL certificate cost?
In most cases, an SSL certificate should cost between $100-300/year. However, depending on the provider, functionality and compatibility, SSL certificates can cost as much as $2,000 per year or more.
Note: in addition to the cost of the SSL certificate itself, you will also need a dedicated IP address - which can cost between $1-4/month depending on your web host and package.
8. How do I install an SSL certificate?
The simplest way to install your SSL certificate is to open a support ticket with your hosting provider. In most cases they will either install the certificate for you or provide instructions specific to your server configuration.
9. What is the difference between a self-signed SSL certificate and a professionally-signed SSL certificate?
Self-signed certificates provide just as much encryption as professionally-signed certificates. The only difference is that professionally-signed certificates are issued by trusted certificate authorities. This means that their validity can be verified where this cannot be done with self-signed certificates. So, many web browsers show warnings when you try to load a web site that is using a self-signed certificate. In most cases, it is wise to avoid sites using self-signed certificates.