Why Your Enterprise Needs a TLS/SSL Certificate
Let’s say you visit two different sites, one after the other. The first one comes with a HTTPS URL and a green padlock sign next to it. The second one doesn’t have any of this – it is a URL starting with HTTP, and the first thing you see is a page with the message ‘This website may not be secure.’ You need to scroll down and go to the additional options dropdown before you can even proceed onto the actual page. Which website is more likely to give you a better impression of the organization running it?
It isn’t a trick question – the answer is clearly the first one, and the key to making it the preferred choice is a TLS/SSL certificate. As of May 2024, over 295 million SSL certificates have been issued. 96% of the browsing time on Chrome is spent over secure HTTPS pages with that now-famous green padlock.
Understanding SSL Certificates
A good place to start would be defining what a TLS/SSL certificate is. We’ll start with SSL, which is short for Secure Sockets Layer. A SSL Certificate consists of small data files embedded to the code hosted in a webpage’s origin server, that digitally bind a cryptographic key to an association’s details. This consists of two different keys:
- A public key used for encryption of user data
- A private key used to decrypt the data and restore it to its original readable format, a key which resides only with the owner of the website
These two keys combine to create secure communications between website, host or server & the end users connecting to it (which could also be machines in today’s VM era). TLS, short for Transport Layer Security, is merely an evolution of this cryptographic protocol. Over the years, after SSL 3.0, we have seen TLS 1.0, 1.1 and 1.2 before inevitably settling in on TLS 1.3 since August 2018, a protocol that brings new security features and a faster TLS handshake. In the interest of brevity, we’ll be referring to these as SSL certificates henceforth.
There are many benefits to getting an SSL certificate for your website:
- It provides better security through the 256/2048-bit RSA algorithms embedded in the SSL encryption, shielding your website from security threats, breaches, and identity theft.
- Google prefers sites with SSL certificates, so having one gives you enhanced SEO that makes your website show up higher on searches.
- Users now see the added s in https and the green padlock as trust indicators, so obtaining an SSL certificate leads to improved user trust.
- And finally, should your organization have to deal with regulations like GDPR and HIPAA, SSL certificates are a must for compliance with data protection regulations.
SSL certificates are issued by Certificate Authorities, who follow many myriad regulations (security, audit requirements, liability, data privacy & confidentiality, etc.) that adhere to being a CA. They must conduct annual audits to maintain their CA status (in India, this check is done by the Public Key Infrastructure of India) and follow CA/B forum baseline requirements. Roughly, 90% of all the SSL certificates out there are issued by 6 authorities, headlined by IdenTrust (formerly DigiCert), Sectigo (formerly Comodo & WoSign), Entrust, etc.
Choosing the Right Validation Level: Understanding DV, OV, and EV Certificates
It is a foregone conclusion that your organization should have a TLS/SSL certificate. But which one? There are several out there, which we’ll be going into later on. However, to get to this decision, there are 3 things you should consider. Firstly, what is the level of validation you seek, which is linked to the function and operational objectives of your website. Some questions your enterprise IT teams may wish to delve on during this stage include:
- Is it for internal or public use?
- What is the user base, and how will they use it?
- What are the systems impacted? (OS, servers, etc.)
Secondly, once that is clarified, what is the number of domains/subdomains you wish to secure. Finally, and this is equally important, what your budget is. If this wasn’t a consideration, then we’d suggest extended validation (EV) for every site you wish to construct, because this is the most secure validation. But we understand business realities, and the truth is, not all use cases require this level of certificate.
Let’s look at the different SSL certificates based on the type of validation:
Domain Validation (DV) Certificates
What is it? These certificates are best for those seeking cost-effective security with no need to establish site visitor trust, because visitors can’t validate if the business is legitimate through DV. It provides elementary protection with no signals or ties to your organization. Multiple reports estimate 70-90% of SSL certificates are DVs, because it is the cheapest option and takes the least amount of time to set up.
Yet, it is important to state here that these certificates aren’t fully secure. Any hacker can obtain one and hide their identity. In fact, over 90% of all phishing websites have SSL certificates, and a majority of them are DVs. It is important not to collect user personal information or conduct transactions on this certificate. In fact, it is best to adopt these certificates mainly for internal use.
How do you get one? These certificates can be issued within minutes, as they simply require proof of ownership through any of these 3 types of verification:
- Email verification, which involves the CA sending you an email and you verifying by clicking a link.
- DNS verification, where it is validated through DNS records, a text file showing which IP addresses each domain is associated with.
- HTTP verification, by creating & saving a text file in the public web root of the domain in question.
Once it is issued, it will enable HTTPS and will display a green padlock symbol on your user’s browser.
Use Cases:
- Internal sites
- Test servers
- Test domains
Organizational Validation (OV) Certificates
What is it? These certificates go one step further from DVs in that they verify the existence of an organization and the ownership of the domain name. While it builds a moderate level of trust among site visitors, it is recommended for public use only if no sensitive information is being collected.
How do you get one? These certificates can take anywhere from a few hours to a few days, depending on the CA you choose. To get an OV certificate, you need to fulfil these validation requirements:
- Organization Authentication
- Domain Verification
- Locality Presence
- A Final Verification Call before Issuance of Certificate
Through this, the CA obtains details like your company name, location, address, and incorporation information before deciding on verification.
Use Cases:
- Web mail for internal communication
- Local intranets
- Informative/educational public-facing websites that don’t take any sensitive details from the visitor
Extended Validation (EV) Certificates
What is it? The cream of the crop. These certificates offer the highest level of authentication to safeguard your brand and protect your users. They are the industry standard when it comes to encrypting sensitive data and achieving maximum levels of identity assurance, and over half of the top 400 eCommerce sites in the world use them. It is very difficult to impersonate an EV-certified website, and virtually zero chance of identity-spoofing attacks.
These are essential for large businesses and eCommerce websites, indicating to the visitors that the site is serious about protecting customer data. Yet only 0.1% of SSL-enabled websites out there have EV certification, and a lot of this has to do with the high costs and the numerous steps required to set it up.
How do you get one? These certificates require the most stringent validation requirements:
- Enrolment Forms
- Organizational Authentication
- Operational Existence Confirmation
- Domain Authentication
- Employment & Authority Verification
- A Final Verification Call before issuing out the certificate
An EV certificate can take anywhere from a few days to a couple of weeks to issue, as it involves a strict vetting process fortified by 10 years of real-world application. It triggers web browsers to display a green address bar that also includes the name of the organization that owns the domain. The name of the CA is also displayed.
Use Cases:
- eCommerce websites
- Login pages
- Any financial services website that conducts online transactions
- Any site that obtains highly sensitive information from its users
After you have pencilled in on the type of validation you require, it’s time to quantify your particular website in terms of the domains and subdomains to be secured. Here are the different types of certificates based on this classification:
- Single-domain certificates cover only one single host name. (Ex. https://www.ivaluegroup.com)
- Wildcard certificates secure an unlimited number of subdomains under the same name. (Ex. www.ivaluegroup.com & login.ivaluegroup.com)
- Multi-domain certificates allow users to protect up to 100 domains with 1 certificate. (Ex. www.ivaluegroup.com & www.ivalue.com)
Overall, it’s not just about getting an SSL certificate. That is a must-have, for sure, but it’s also about selecting the right one. Failure to do that could lead to an erosion of customer trust, higher chances of breach and a lower rate of transactions, all of which contribute to a negative bottom line.
Thankfully, we are experts in facilitating TLS/SSL certificate types for enterprise environments! Get in touch with us to get started on a safer web journey.