22, May 2020
SSL/HTTPS School 2 out of 3 – “What types of SSL-certificates are there, and which should we use?”
This is the second out of three posts in our campaign to raise awareness and knowledge about SSL-certificates and HTTPS.
In the first post, we discussed the basics of SSL/HTTPS. Our conclusion was that a using SSL-certificates has gone from being an exception to becoming a rule. Read the first one here.
In this post, we will be giving you the basics of which kinds of certificates there are, and why those differences actually are important.
Different types of SSL-certificates
You usually speak about the three levels of SSL-certificates – DV, OV and EV. However, not having an SSL-certificate is also a state that has to be included in the discussion in order to fully understand the value of using SSL-certificates altogether.
It is important to note that the three different levels of SSL-certificates does not mean that the encryption of the traffic it is intended to protect is any different, what it means is that the validation process of setting up the certificate is different from each level. The higher the level, the more rigorous the validation process has been. At the same time, the higher the level, the more confidence the visitor/user of the certificate gets from the brand.
- Having no certificate
Having no certificate on for example a website, means that the flow of information between the visitor of the site and the web server on which the site is hosted, is totally transparent. A good analogy of not using an SSL-certificate is that it is like putting a letter in the mail using a transparent envelope, enabling everyone to see its content.
- Domain Validation (DV)
This is the lowest of all validations, meaning it is the easiest to obtain. The validation consists of the issuing certificate authority verifying that a contact at the domain in question approves the certificate request. Usually by email, but can also be done via alternate methods. The sole benefits are a speedy validation and a relatively low cost. The drawbacks are a higher risk of phishing and “man in the middle” attacks. Some issuers have gone as far as not issuing DV-certificates, due to a belief that the drawbacks of issuing domain validated certificates far outweigh the benefits.
- Organization Validation (OV)
OV-certificates is the level above DV-certificates. As the name implies, the validation process for an OV-certificate is more rigorous than a DV-certificate and includes verifying the organisation behind the request. This is usually done by first carrying out the steps of DV-validation process, and then adding a vetting of the requesting organisation, beyond the domain in question. This information is then displayed on the certificate, making the ownership of the certificate more transparent and the site more trustworthy.
- Extended Validation (EV)
As the name implies, the validation process for an EV-certificate is the most rigorous of the three. They take a bit longer to issue, but for organisations that want to achieve the highest level of trust possible for their visitors, using an EV-certificate is a must. Most EV certificates also come with bundled additional services such as mal-ware scanning and trust badges. These add-ons can be highly valuable when launching a new brand, site or expanding into a new market, as they add trust from already established and trusted players in the online space. Nowadays you see an icon of a padlock. If a visitor clicks on the padlock, the organisations name and country will be shown as a validation of the EV-certificate in use.
When it comes to which certificate that is most appropriate for your particular needs. One size does NOT fit all (unfortunately). The choice of certificate is dependent on a number of factors. On an external web for example, it might be a good idea to use an SSL-certificate of the highest level, an EV-certificate (Extended Validation), in order to gain the most trustworthiness possible for your site – and your brand. For other purposes, where the encryption itself is the only thing of importance, a lower level of validation might suit your needs. At Ports Group, we have the experience and expertise to guide you in your choice of certificates, and the safe management of your certificate portfolio.
Want to check if you have an SSL-certificate?
We have implemented a free analysis tool named besafe.online. The tool primarily checks your site for an SSL-certificate, but also provides additional information related to the security of a site. For example, if the site has DNSSEC and DMARC implemented.
Click here to get to the tool:
In the next part of the SSL/HTTPS-school
In the next and final post, we will be talking about the perhaps least discussed aspect of SSL-certificates:
"How to safely manage them in order to avoid potentially business critical consequences"