What is an SSL certificate?
A short history of SSL
The SSL protocol was introduced back in 1996 as a security protocol for the connection between visitors of a website and the server housing the website, using strong encryption. The protocol has been further developed and improved upon over the years, before eventually being replaced with its successor, TLS. However, people still use the term SSL when they refer to the security protocol.
SSL certificates come in many shapes and forms. For internet purposes, there are three main types, discernable by the way the request to issue the certificate is validated.
It is often assumed that you only need SSL when a visitor sends information through the website, for example when they log in or send a form, but SSL works in both directions. A website secured with SSL prevents others from reading what a user transmits to the website. But it also prevents someone from tampering with information that was either sent from or to the website before it reaches its intended destination. An SSL certificate should be considered as an essential part of any commercial website's security policy.
Types of SSL certificate
Domain validation (DV) is suitable for non-public websites. The validation consists of a check to see whether the applicant is also the administrator of the domain for which the certificate is requested. DV certificates are mostly used for personal, non-commercial websites, or private domains used for testing purposes.
For public websites without commercial aim or government function, an Organisation Validation (OV) certificate is often the perfect solution. Not only will the ownership of the domain be checked, but company details will also be validated before the certificate is issued. The company details are also included in the certificate and can easily be checked for more information with most browsers.
An Extended Validation certificate is the best option for commercial websites such as web shops and banks, but is also used for government agencies. This type of validation requires an extensive check of the company details against a public register, such as the Business Register of the Chamber of Commerce. Once the certificate is successfully installed, the company details are added to the certificate details available in the browser.
Legislation regarding SSL
The Dutch Personal Data Protection Act states that any transmission of personal data through the internet must be secured. The Dutch Data Protection Authority (the Dutch DPA) supervises the compliance of this law and can impose fines upon violation of up to €4,500. Apart from this fine, the defaulting company also risks being held financially responsible for any damages.
In 2018, the General Data Protection Regulation (GDPR) will come into effect. This is a European law that is slated to replace the Dutch Personal Data Protection Act. Upon activation, the Dutch DPA will fall under direct management of the European Data Protection Authority (DPA). The rules regarding the execution of a privacy-risk investigation will become stricter. Visitors of a website must also give explicit consent for the processing of their personal data. Violations can be met with fines up to 20 million Euros (or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher).
Frequently asked questions
About SSL certificates
- What is a common name?
- What is a private key and what is a public key?
- What is a wildcard certificate?
- What is an intermediate certificate?
- What is a root certificate?
- What is SNI and when do I need it?
- What are cipher suites?
- What is HTTP Strict Transport Security (HSTS)?
- What is OCSP?
- How does file approver work?