Security

What is an SSL Certificate, and Do You Need It?

Free or Commercial? HTTP or HTTPS?

The short answer - Yes, you definitely need an SSL certificate, and there are no reasons to avoid using one.

For the long answer (and it is long), read below.

Is SSL Really Required for All Websites Now?

SSL Certificates were once needed only by big commercial and shopping sites. Nowadays, however, this is a requirement for any website, even simple blogs, portfolio sites, or galleries. Web browsers have begun a transition to a more secure web, and their UIs (user interfaces) have started reflecting on that by showing warnings on sites not protected with an SSL certificate.

When you open a website over a plain HTTP connection (see explainer below) you may get a “Not secure” sticker on the left in some browsers:


Google Chrome showing a “Not Secure” site. Google plan on making the ‘Not Secure” text red in the future. See here.

To fix this, you need an SSL certificate. SSL stands for Secure Sockets Layer. In layman's terms, it’s what helps create an encrypted connection between the device of the visitor and your website.

When you go to a site with an SSL certificate, like https://www.google.com , you get a reassuring padlock:

SSL Certificates for SEO?

An additional benefit (more like a drawback to not having one) is that having an SSL certificate helps you rank better in Google search results. Back in 2014, Google announced that sites using HTTPS will be ranked higher than ones that don’t utilize it (click here for their blog post).


Some Common Terms

You see these abbreviations a lot, but what do they mean? Aren't HTTPS and SSL one and the same thing? What is TLS then? And how about HSTS? Here are the answers in human words.

HTTP, HTTPS, HTTP/2, SSL, TLS, CA, CSR, HSTS?!?
  • HTTP (Hyper Text Transfer Protocol) - This is the original protocol used on the web. It works, but it has several drawbacks - mainly, it transmits all data in plain text over the internet. This means that any intermediary can sniff the connection and check all the data. Check the video below for a demonstration of this type of attack.
  • HTTPS (Hypertext Transfer Protocol Secure) - That's the secure version of HTTP, providing encryption via SSL/TLS certificates.
  • HTTP/2 - This is a major revision of the protocol designed to resolve another problem with it - HTTP opens a separate connection for each resource. This works for small sites, but nowadays websites load a lot of resources - JavaScript libraries, CSS files, fonts, images. HTTP/2 combines all of them in the same connection, speeding things up. And since HTTP/2 was new, browser developers decided to make it work over encrypted connections only, meaning that if you wish to take advantage of the speed boost HTTP/2 provides, you need an SSL certificate. HTTP/2 is fully supported on all our servers.
  • SSL/TLS - Did you know that SSL is actually an outdated protocol and no longer used? The latest version of the SSL protocol was published in 1996. Confusing, right? How could it be outdated, when this whole article is about its importance at present? Well, TLS is the updated version, but for legacy reasons, the old name has stayed with us. However, what you actually need is not an SSL certificate, but a TLS one.
  • CA - Certificate Authority - CAs are trusted third-party entities that issue SSL/TLS certificates and verify the owner of the certificate. Some common Certificate Authorities are Digicert, Sectico /Comodo/, and Let's Encrypt.
  • CSR - Certificate Singing Request. The name may sound complicated, but this is actually something quite simple - for the actual generation of the SSL certificate, the authority needs your data in a specific format. Our support team can help you with the CSR generation, or you can easily generate one yourself from the online Control Panel included with all our hosting accounts.
  • HSTS - HTTP Strict Transport Security - this is actually a policy mechanism that indicates to browsers that this site is available over secure connections only. This is useful, as an attacker with control over a network you may be using may be trying to downgrade the SSL connection in order to inspect the packets. By setting the HSTS policy for your website, you can prevent this.

Keys, Root & Intermediate Certificates, PKI, SHA1

There is a slew of other abbreviations you will encounter during your conquest to obtain an SSL certificate - Private Key, Public Key (this is the certificate itself), Common Name (an obscure name for your site's address), Root Certificate (the certificate used by the CA), Intermediate Certificate (some CAs don't have root certificates, but they have an intermediate one, signed with the root certificate of another CA), Certificate Chain (the chain of intermediate certificates leading back to the root certificate), PKI (Public Key Infrastructure), SHA-1, SHA-2, SHA-256 (cryptographic functions).

The SHA-1 to SHA-256 upgrade

Up until 2017 SHA-1 was the most widely used hashing algorithm. In 2017 however, security researches proved the concept of some attacks that were thought possible previously, but never produced in real life. The SHA-1 design was finalized in 1995, and computing power and security requirements have increased tenfold since then. After a Proof of Concept (PoC) was available for the vulnerability in SHA-1, browser vendors quickly deprecated this algorithm and forced everybody to the more secure versions. This change wasn't backwards compatible, and many website owners needed to update their certificates to be compliant.

How Can Anyone Sniff Your Plain HTTP Connection?

It's rather easy and you only need free tools to perform this attack yourself:

The tool above is Wireshark, a packet analyzer that has many different uses. For example, some users may use it to check if their computer is making some unauthorized connections, which would be an indication that malware is running on the computer.

How Do You Obtain an SSL Certificate?

You get it from a Certificate Authority. There are many authorities, and even more resellers. Resellers may sound expensive, but due to the bulk pricing they get, they can usually offer SSLs cheaper than the authorities themselves. Additionally, if you get an SSL from your hosting provider (usually a reseller), you don't need to deal with CSR generations, certificate files, installations, etc. This is all handled for you. Or at least with ICDSoft it is.

Symantec's SSL Business Sale

Symantec were the owners of several SSL brands: Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL. In late 2017 it was revealed that Symantec was issuing certificates without adhering to the policies agreed by the major browsers. This forced Symantec to sell their SSL business, and the SSL Certificates we offer (GeoTrust and RapidSSL) landed in DigiCert's hands.

Commercial Certificates

Sectigo /previously Comodo/ and DigiCert /previously GeoTrust/ are the commercial SSL providers we work with. Until the appearance of Let's Encrypt, this was the only way to get an SSL certificate - you had to pay for it (actually, there was another CA offering free SSLs - StartCom, but it had to close down). Paid SSL certificates are still used and there are reasons for that.

StartCom - The original Free SSL Provider

StartCom were pioneers - they were the first and only SSL authority for a long time that offered free SSL certificates.
Their demise started after they were sold in secrecy to WoSign Limited (based in Beijing, China). It was later found that they were issuing certificates in order to circumvent browser restrictions. Browser vendors quickly reacted and removed the root certificates of StartCom, effectively crippling their business.

There are different types of certificates in different price categories, but they ultimately serve the same purpose - they encrypt the connection between your visitors and your website. We offer several types of commercial certificates which you can check here: https://www.icdsoft.com/en/ssl


Free Let's Encrypt Certificates

Around the time Google was already starting their push to HTTPS, high-ranking personnel from different tech companies such as the Mozilla Foundation and Cisco started a project that provides free and legitimate certificates. It’s called Let’s Encrypt. These certificates offer the same level of protection as commercial certificates, but they are free.

So what's the catch? Well, Let's Encrypt have decided that they will issue SSL certificates for a limited time period only - a maximum of 3 months. This means that the certificates need to be renewed on a regular basis, which isn't suitable for all systems. You need an SSL management infrastructure in order to automate this process and keep your SSL certificates updated. Of course, there is no need to worry about these implementation details when you have an account with us - everything is handled by our Let's Encrypt Infrastructure - issuing, verification, installation and renewal.

Comodo vs Let's Encrypt Trademark Dispute

In 2016, an interesting story captured the attention of techheads - Comodo, a large Certificate Authority had decided to trademark "Let's Encrypt". You can read more about their decision to do so here - Let's Encrypt - Defending our Brand, and you can also check the comments Comodo's CEO made on their own product forum

What is a DV Certificate?

A DV, or Domain Validated certificate, is the standard SSL certificate which you can get from us, from Let's Encrypt, and from most other authorities. It means that the certificate authority validates only that you have control over the domain name. This validation usually occurs by creating a special DNS record, placing a special file on the domain, or by sending an email to one of the following predefined email addresses:


The DigiNotar bankruptcy

This is an interesting case because of one of the features often cited in commercial SSL offers (yes, we have it on our page as well) - SSL Warranties. The SSL Warranty is usually several thousand dollars, but so far we haven't heard of anyone getting it. The closest certificate users got to getting their warranties was in the DigiNotar case, but this SSL authority declared bankruptcy only a month after it was revealed that their systems were hacked. You can read more about this on Wikipedia: https://en.wikipedia.org/wiki/DigiNotar

  • admin@example.com
  • administrator@example.com
  • postmaster@example.com
  • hostmaster@example.com
  • webmaster@example.com

We often get asked if another email address can be used instead. The answer is No. It has to be one of the predefined email addresses. The postmaster account is required by RFC 822 , so every domain owner should have it. At ICDSoft.com all hosting accounts have it by default.

What is an EV Certificate?

EV Certificates, or Extended Validation certificates provide the same level of encryption, but during the issuing process, the authority performs additional checks. The benefits of having such an SSL certificate are dubious, and the fact that popular websites, such as https://facebook.com or https://google.com do not use them adds to the controversy. You may have noticed that some sites have a green bar next to the padlock. Here are screenshots from Mozilla Firefox and Google Chrome which show the way most browsers used to distinguish EV certificates, and the way most browsers are headed now (no visual distinction):

Email Certificates

Email certificates are largely the same as HTTP certificates. Our mail servers, for example, use the same Let's Encrypt TLS certificates as our web servers. They secure other protocols there, however, and are respectively called SMTP over TLS, IMAP over TLS, and POP3 over TLS.

OK I Have the SSL, is My Site Secure Now?

A common issue we encounter is that website owners buy a certificate, install it (or have it installed on their server) but their site continues to load over HTTP. The SSL certificate is there, but no one has forced the users to use it - users may have a bookmark pointing to the HTTP version, or their habits may be pointing them there. For this reason, you should implement an HSTS policy, or enable a redirect to HTTPS on your website. This is easily done via our online Control Panel - just go to the SSL/HTTPS section and click Enable on the Force SSL option.

WordPress and SSL Certificates

There is a caveat however, WordPress, the most popular website platform, isn't fully compatible with these redirects. See, WordPress stores the full URLs (another one of these abbreviations, meaning your full website address, including the protocol) in its database, sometimes in encoded form. That's why with WordPress additional configuration steps may be required. This article at our FAQ covers the topic, but if you are our customer, it would be easier to just ask our support team to do this for you.

Trying To Switch Your Site to HTTPS?

Did you know that ICDSoft's Support Team Does It For Free?

Can I Safely Accept Credit Card Payments with an SSL Certificate?

Having an SSL certificate is the absolute minimum required for you to process payments, but we recommend outsourcing credit card processing to companies like PayPal, 2CheckOut, or Stripe. For the small increase in fees you pay for each transaction, you get the comfort of having an entire company looking over the security of the payment process and the user's payment details. Our company uses this model as well, and we are pretty satisfied with it.

Security is a Process, Not an End State

Anyone with knowledge of connected systems will tell you that security is a process. There is no final stage where you are 100% secure.

With the SSL certificate you have covered only one side of this process and that is the connection encryption. This protects against eavesdropping, and malicious actors sniffing your networks, but does nothing to the security of your data at rest or to the security of your scripts. If you collect any data from users, you must take proper security precautions, SSL being one of them, but certainly not the last one.

So are You Ready to Go Full HTTPS?

You could go and buy one directly from: https://www.icdsoft.com/en/ssl , but it will be easier, and cheaper in the long run to have a hosting account with a Free SSL Certificate which is automatically renewed. And we will also move your site and switch it to HTTPS:// for you. Get your Hosting with SSL Included at:

https://www.icdsoft.com/en/hosting/usa#/sharedplans

I started working in the web hosting business in 2004. My other interests are mountain biking, fine woodworking and raising my kids to be good persons.