SSL in a Nutshell

Comment(s)

Clients frequently ask us for Secure Socket Layer (SSL) certificate recommendations. There seems to be a lot of confusion surrounding SSL – everything from why they’re needed, how they work, what they do and how to install them. Let me demystify some misconceptions and answer common questions in today’s post so that you walk away with a better understanding of SSL in general.

Why SSL is Necessary for eCommerce Stores

More and more online shoppers are becoming keenly aware of the affects of identity theft, and thus most know to look for a secure connection when shopping online. Without a secure connection, you run the risk of losing customers. Shoppers want to know that the website they’re on is safe and can be trusted before they give out personal information or complete a transaction. SSL provides that security both visually in the browser and functionally behind the scenes.

How SSL Works

I’m a visual person, so I found this graphical representation of SSL to be very helpful in understanding what’s going on behind the scenes without getting too far in the weeds with technical jargon. (Thanks to the folks at enom.com for this.)

Who’s who in the SSL world?

There are many providers out there, but three main players lead the SSL world: Verisign, Comodo, and GeoTrust. I’m confident you’ve at least seen or heard of at least one of these players. All three are perfectly fine and trustworthy providers. We have have not had a problem using any of these three providers with our customers at Elas. Choosing an SSL provider should be based on client-specific needs, so I recommend you check out this article at eHow for some tips on selecting a provider.

What is extended validation (EV)?

Think of EV as an add-on for SSL. EV is what triggers the address bar to turn green in some browsers while on a secure site. Not all browsers do the same thing, but each browser has some special visual element that indicate you are on a site with an SSL that has extended validation. Studies have shown EV to be very effective in building trust with customers. However, EV doesn’t come cheap. You can expect to pay at least $450/year for a quality certificates with EV.

OK, so why are some way cheaper than others?

The cost of certificates varies quite a bit depending on a number of factors such as how the certificate is validated, warranty coverage, wildcard certs, brand, etc. The leading driver of cost difference is how validation occurs. There are two main ways to validate a certificate.

By domain. Only verify the domain ownership of the purchaser, and thus have much faster turnaround times since none of the additional information needs to be verified. Sometimes available for implementation within minutes.
By organization & extended validation. Requires the certificate authority (the company issuing the certificate, such as GeoTrust or VeriSign) to verify the purchaser’s business and their authority to purchase a certificate on behalf of that company. These are considered higher assurance certificates and are generally perceived as more trustworthy.

What benefit is there to purchasing a higher assurance certificate?

Low assurance certificates that perform domain-only verification encrypt just the connection. Higher assurance certificates perform the same encryption and provide peace of mind to customers by assuring them that the entire site belongs to a legitimate business.

There you have it – SSL in a nutshell! This is by no means an exhaustive dissertation, but it should equip you with a working knowledge of the SSL technology that is a necessity with today’s ecommerce sites. We’d enjoy any comments or feedback from your own SSL experience and expertise. Cheers!