What is an SSL certificate? A definition + FAQs answered

An SSL certificate is a type of digital certificate that provides authentication for a website and enables an encrypted connection. Short for Secure Sockets Layer, SSLs communicate to web users that a connection is safe and secure. When a website holds an SSL certificate, a padlock icon appears on the left side of the URL address bar signifying that the connection is secure. Additionally, sites will display an “HTTPS” address instead of an “HTTP” address. 

In order to receive an SSL certificate, the web service host must demonstrate ownership of the domain to the certificate authority at the time of certificate issuance. This authentication process is much like sealing a letter in an envelope before sending it through the mail.  

Secure websites help web users protect their sensitive information, like credit card or Social Security numbers. Today’s digital citizens face many emerging threats, and making sure the websites you visit are secure is one important way you can protect your information.

What is an SSL certificate used for? 

SSL is used to secure information between a web visitor and the site. It is commonly used on e-commerce sites and pages that require users to submit personal or credit card information.

Since researchers predict e-commerce will make up 17 percent of all U.S. retail sales by 2022, there is a growing need for both web users and webmasters to keep sites secure.

By ensuring that all data passed between the two parties remains private and secure, SSL encryption can help prevent hackers from stealing private information such as:  

• Credit card numbers
• Bank information
• Names
• Addresses
• Birthdates
• Phone numbers
• Login credentials
• Proprietary information
• Legal documents and contracts
• Medical records

Without a secure connection, the above data can become susceptible to man-in-the-middle attacks, among other cyberattacks.

How does an SSL certificate work? 

SSL certificates work by establishing an encrypted connection between a web browser and a server. The encrypted data is impossible to read without a secret key, called a decryption key.

When your browser tries to connect to a secure website, several steps take place in only a few milliseconds:

1. You type in a secure website’s URL, indicated by an HTTPS address: “https://us.norton.com/”.
2. Your browser requests secure pages (HTTPS) from Norton’s web server.
3. The web server sends a public key along with its SSL certificate. Valid SSL certificates are digitally signed by a third party, establishing the server’s identity and domain ownership. 
4. Your web browser verifies that the digital signature is legitimate.
5. Once the certificate’s signature is verified, your browser displays a padlock icon in the URL bar.
6. Your web browser sends encrypted data to the web server along with a secret key.
7. The server uses a private decryption key to read the data and access the secret key.
8. From this point forward, the browser and server will share data using the secret decryption key. Information is unreadable to hackers who do not have the shared secret key.   

Types of SSL certificates explained

Extended validation (EV) SSL certificate

This type of certificate has the highest level of security and is a must-have for websites that handle sensitive information. In order to issue an EV certificate, a neutral third-party certificate authority (CA) performs an enhanced review of the applicant to increase the level of confidence in the business. Sites using EV certificates were previously identifiable by green text in the address bar but now only display a padlock.

• Trust Level: Maximum 
  

Organization validated (OV) SSL certificate

OV certificates have a moderate level of trust and are a good option for public-facing websites that deal with less sensitive transactions. This certificate requires organizations to prove domain ownership and provide documentation that the business is legally registered. OV-secured sites also display a padlock. 

• Trust Level: Moderate

Domain validation (DV) certificate

DV certificates only verify who owns the site. Be aware that DV certificates have the lowest level of trust and are commonly used by cybercriminals because they are easy to obtain and can make a website appear more secure than it is. Like EV- and OV-secured sites, DV-secured sites display a padlock. If you’d like to see whether a site is DV-secured, click the padlock icon and read the certificate details. Many malicious DV-secured sites do not offer site details.  

• Trust Level: Minimal 

Other SSL certificates 

SSL certificates may also be referred to by other names, such as: 

• Unified communications (UCC) SSL certificate
• Single domain SSL certificate
• Wildcard SSL certificates

These certificates mainly refer to how many domains are registered under one certificate and can be purchased either as EV, DV, or OV certificates. The level of trust associated with each certificate will vary accordingly. 

How to tell if a site has an SSL

Considering over half of all consumers have experienced cybercrime, knowing how to tell whether a site is secured with an SSL certificate can help ease safety concerns.

Whether a site is secured with an EV, DV, or OV certificate, secure sites will display: 

• A padlock symbol in the URL address bar
• An HTTPS address rather than an HTTP address

Previously, sites secured with an EV certificate displayed the company’s name in the address bar in green text. As of 2019, most major browsers, including Chrome and Firefox, have removed this indicator. Instead, browsers now display a notification if your connection is not private, citing that SSL certificates are now the norm. 

5 tips to ensure your online session is Cyber Safe

Now that you know what an SSL certificate is, the three main types, and that DV-enabled sites pose a risk for online scams, it’s important to learn how to reduce your exposure while shopping or performing other sensitive transactions online.

To help ensure your online session is secure, follow these five steps:

1. Read the seller’s privacy policy: Find out how your personal information will be used. Reputable companies should be open about the information they collect and what they do with it.
2. Look for trust indicators on shopping sites: Reputable logos or badges signify that the website meets certain security standards.
3. Understand the type of SSL certificate a website holds: Knowing the type of certificate a 
   website holds can help you determine how secure that site is and what information you’ll share with it. If you’re unsure what type of certificate a website has and want to check its security, you can click on the padlock icon in the URL bar to find certificate details. If a site does not list any organization details, be wary of submitting your data.
4. Consider cybersecurity tools: Several tools can help you stay safe online. Antivirus software is one of the most well-known, but having a VPN is ano websites.
5. Know the signs of unsafe websites: Flashing warning signs, exclamation marks, pop-ups, and redirects are just a few signs of suspicious websites. Most browsers will also display warnings when entering a site without a private connection. 

As more consumers continue to shop online, cyber risks continue to evolve. Understanding the types of SSL certificates to look for, what makes a safe site, and the potential risks of online shopping can help consumers avoid online scams and protect their sensitive data from cybercriminals.

FAQs about SSL certificates

Here are answers to some of the most frequently asked questions about SSL certificates.

What is an SSL connection?

An SSL connection is encrypted communication between a web browser and a server. The connection is
established through sharing a secret decryption key.  

What does SSL stand for?

SSL stands for Secure Sockets Layer, a cryptographic protocol to keep shared data between a web server and browser secure.

What is the purpose of SSL certificates?

SSL certificates help establish a server’s identity, domain ownership, and company details. They create trust with users by verifying that websites used to track finances and make online purchases are secure and legitimate.

HTTP vs. HTTPS: What’s the difference?

An HTTPS address represents an encrypted connection, while an HTTP address is not encrypted. An SSL certificate enables the encrypted connection present in the HTTPS address, and the extra “s” stands for “secure.” 

Can SSL certificates be used on multiple servers?

Yes, some SSL certificates can be used on multiple domains or servers. However, some SSL certificate issuers license on a per-server basis, so check your terms and conditions.

What happens when an SSL certificate expires?

When an SSL certificate expires, a browser and server will no longer be able to communicate with a secure, encrypted connection. Data will be sent in plaintext, leaving it susceptible to cyberattacks.

How do you get an SSL certificate?

SSL certificates must be issued by valid certificate authorities (CAs). CAs will ask for different documentation depending on whether an applicant is seeking an EV, OV, or DV certificate.

What is the cost of an SSL certificate?

The average price for an SSL certificate is about $60 annually, but prices vary widely. You can spend anywhere from $5–$1,000 per year depending on your site’s security needs.

Can I get an SSL certificate for free? 

Yes, nonprofit CA organizations offer free SSL certificates. However, there are often downsides to using a free certificate vs. a paid one. For example, paid certificates can remain valid for up to two years, but a free certificate may need to be renewed every 90 days.

What does an SSL certificate include?

SSL certificates may include:  

• The domain name
• The company, person, or device that owns the certificate
• Subdomain names
• The issuing certificate authority (CA)
• The CA’s digital signature
• Issuance date
• Expiration date
• The public key (the private key is kept a secret)